Rocke Group’s Cloud-Targeting Malware Evolves
In 2019, researchers documented a cloud-targeting malware used by the Rocke Group to conduct cryptojacking attacks to mine for Monero. Due to the increased scrutiny because of this research, Rocke Group had become less successful. In response, they created a newer version of their malware, dubbed ‘Pro-Ocean.’
Pro-Ocean is a revised version of the same cloud-targeted cryptojacking malware, which now includes improved rootkit and worm capabilities. It also contains new hiding techniques and is built around a four-module structure. Pro-Ocean uses known vulnerabilities to target cloud applications; analysis shows that Pro-Ocean targeted Apache ActiveMQ (CVE-2016-3088), Oracle WebLogic (CVE-2017-10271) and Redis (unsecure instances). In the case that the malware runs in Tencent Cloud or Alibaba Cloud, it will use the exact code of the previous malware to uninstall monitoring agents to avoid detection. Additionally, it attempts to remove other malware and miners including Luoxk, BillGates, XMRig and Hashfish before installation. Once installed, the malware kills any process that uses the CPU heavily, so that it’s able to use 100% of the CPU and mine Monero efficiently.
Although Pro-Ocean attempts to disguise itself as benign, it packs an XMRig miner, which is notorious for its use in cryptojacking operations. The miner seeks to hide using several obfuscation layers on top of the malicious code:
- The binary is packed using UPX. This means that the actual malware is compressed inside the binary and is extracted and executed during the binary execution.
- Advanced static analysis tools can unpack UPX binaries and scan their content. However, in this case, the UPX magic string has been deleted from the binary, and therefore, static analysis tools cannot identify this binary as UPX and unpack it.
- The modules are gzipped inside the unpacked binary.
- The XMRig binary is inside one of the gzipped modules and is also packed by UPX and does not have the UPX magic string.
Pro-Ocean targets several typical cloud applications including Apache ActiveMQ, Oracle Weblogic and Redis, with an emphasis on cloud providers based in China including Alibaba Cloud and Tencent Cloud. It is written in Go and compiled to an x64 architecture binary. It contains four modules that deploy during execution — hiding, mining, infecting and watchdog. Each module contains some files written in various languages (C, Python or Bash) and a Bash script that executes it.
Cryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. This malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure.
Further Reading:
IOCs:
- URLs
- hxxp://shop.168bee[.]com/*
- hxxps://shop.168bee[.]com/*
- Mining Pool
- Hxxp://pool.minexmr[.]com
- SHA-256 Hash
- 4ff33180d326765d92e32ec5580f54495bfcdd58a85f908a7ece8d0aedbe5597
- 220c2ebacafde95ebf4af12bf0d8eedb6004edd103ecb1d6363e7eb5a3e62c01
- a81424ec81849950616f932c79db593147b8a01cc6d06d279fd05d61103abdb7
- 070afdbb4c2c9e499d55cb8fbc08f98e95725b98682586d42f84fd7181eae1cb
- 0a3898da2c6e31f1eed4497c4e4e3cf24138981f35cb3d190b81ba4b24ab3df0
- 26a126fd5cd47b62bb5ae3116a509caf84da1ccd414e632f898aec0948cb0dbf
- 37e1c05cc683bac5fe97763023a228a4ca4e0439acc94695724f67b7e0275ece
- d3e95ae2f01be948dd11157873b3c84cb3e76dea1b382bcfb2c0cb09a949497c
- 713b5447a51a4b930222491a2dfb5b948a5da6860d80cd8663c99432c1e0812f
- 0f7abdceae4353c4a6a8ed6b5d261df0f94c2c52709dd50d38003192492e7d3b
- bfea86bb68b51c6875d541c92bb48b38298982efbe12cf918873642235b99eeb
- 575945f6f5149dc48c4a665fcab0cbdbedec1e18b887abe837ed987a7253ad02
- abb36bc19b82a026f7d70919c64ed987ebb71420b04bb848275547e99da485bd
- 7888925fe143add65f2ad928a7ee4e4b864d421fde57fac0cb2b218e70fe4d31