Derek B. Johnson
A piece of cryptojacking malware with a penchant for targeting the cloud has gotten some updates that makes it easier to spread and harder for organizations to detect when their cloud applications have been commandeered.
New research from Palo Alto’s Unit 42 details how Pro-Ocean, which was used throughout 2018 and 2019 to illegally mine Monero from infected Linux machines, has been quietly updated by the threat actor Rocke Group after it was exposed by Cisco Talos and other threat researchers in recent years.
Pro-Ocean is composed of four modules, each designed to further distinct goals: hiding the malware, mining Monero, infecting more applications and searching for and disabling other processes that drain CPU so the malware can mine more efficiently.
It leverages known, years-old vulnerabilities in Apache Active MQ, Oracle WebLogic, Redis and other cloud applications to deploy a hidden XMRig miner in cloud environments. It can also be easily updated and customized to attack other cloud applications.
Older versions of the malware already had the capability to search for and uninstall any agent-biased cloud security products while kicking out or disabling any other cryptomining software that may have gotten in. The newest version of the malware still does this, but now it also uses a number of new layers of obfuscation to hide from network defenders.
First, it compresses the malware inside the binary code using, only extracting and executing during the binary process. While some tools can unpack and scan UPX code for malware, Pro-Ocean deletes the strings that static analysis tools use to identify it. It also gzips each module and hides the cryptominer inside one of those modules, all of which makes increasingly difficult for IT security teams to detect anything malicious prior to deploying the payload.
“This malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,” writes Unit 42 Senior Security Researcher Aviv Sasson. “As we saw, this sample has the capability to delete some cloud providers’ agents and evade their detection.”
Further, this new version of the malware copies itself into new locations and creates a new service that will persistently execute the malware if it’s turned off. It also has new worming capabilities, using a Python script to find other machines on the same subnet and automatically runs through a number of publicly known exploits in an effort to infect as many as possible.
It all adds up a more powerful, faster spreading and harder to catch version of cryptojacking malware, a scourge that largely exists underneath the background noise of most IT operations but that can drain valuable processing power from business operations and leave companies more vulnerable to other forms of digital attacks. While it is notoriously difficult to measure the true footprint and costs of cryptojacking, it was the most detected file-based threat as recently as the first half of 2019, according to data from Trend Micro.
While Rocke Group had been quiet over the past year, Sasson said the revised tool and increasing attack surface created by new cloud applications means we will likely only see more of these attacks in the future. Unit 42’s research includes indicators of compromise, malicious file hashes and other resources to assist network defenders detect Pro-Ocean’s presence.
“Cryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins,” he wrote. “We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat.”