Rocke Group’s Malware Now Has Worm Capabilities


The Pro-Ocean cryptojacking malware now comes with the power to spread sort of a worm, also as harboring new detection-evasion tactics.

Researchers have identified an updated malware variant employed by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks.

The malware is named Pro-Ocean, which was first discovered in 2019, and has now been beefed-up with “worm” capabilities and rootkit detection-evasion features.

“This malware is an example that demonstrates that cloud providers’ agent-based security solutions might not be enough to stop evasive malware targeted at public cloud infrastructure,” said Aviv Sasson with Palo Alto Networks on Thursday. “As we saw, this sample has the potential to delete some cloud providers’ agents and evade their detection.”

Since its discovery in 2018, the Rocke Group has widened its targeting of cloud applications – including Apache ActiveMQ, Oracle WebLogic and open-source arrangement store Redis – for mining Monero. Researchers say that since these attacks initially broke out, many cybersecurity companies have kept Pro-Ocean on their radar. Rocke Group’s latest update aims to sidestep these detection and mitigation efforts.

Pro-Ocean Malware

Pro-Ocean uses a spread of known vulnerabilities to focus on cloud applications. These include a critical flaw in Apache ActiveMQ (CVE-2016-3088) and a high-severity vulnerability in Oracle WebLogic (CVE-2017-10271). The malware has also been spotted targeting unsecure instances of Redis.

Once downloaded, the malware attempts to get rid of other malware and cryptominers, including Luoxk, BillGates, XMRig and Hashfish. It then kills any processes using the CPU heavily, in order that its XMRig miner can utilize one hundred pc of the CPU juice needed to sow Monero.

The malware is formed from four components: A rootkit module that installs a rootkit and other various malicious services; a mining module that runs the XMRig miner; a Watchdog module that executes two Bash scripts (these make sure the malware is running and search any processes using CPU heavily); and an infection module that contains “worm” capabilities.

New Features

The latter “worm” feature may be a new ad for Pro-Ocean, which previously only infected victims manually. The malware now uses a Python infection script to retrieve the general public IP address of the victim’s machine. It does so by accessing a web service with the address “,” which scopes out IP addresses for various web servers. Then, the script tries to infect all the machines within the same 16-bit subnet (e.g. 10.0.X.X).

“It does this by blindly executing public exploits one after the opposite within the hope of finding unpatched software it can exploit,” said Sasson.

Other threat groups have previously adopted worm-like functionality into their Monero-chugging malware. TeamTNT’s crypto mining worm, as an example , was found spreading through the Amazon Web Services (AWS) cloud and collecting credentials in August.

The Pro-Ocean malware has also added mew rootkit capabilities that cloak its malicious activity.

These updated features exist in Libprocess Hider, a library for hiding processes employed by the malware. This library was utilized by previous versions of Pro-Ocean – however, within the remake , the developer of the code has added several new code snippets to the library for further functionalities.

For example, before calling the libc function open (libc may be a library of ordinary functions which will be employed by all C programs), a malicious function determines whether the file must be hidden to obfuscate malicious activities.

“If it determines that the file must be hidden, the malicious function will return a ‘No such file or directory’ error, as if the enter question doesn’t exist,” said Sasson.

Researchers said they believe that the Rocke Group will still actively update its malware, particularly because the cloud grows as a lucrative target for attackers.

“Cryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware isn’t something ordinary since it’s worm and rootkit capabilities. we will assume that the growing trend of sophisticated attacks on the cloud will continue.”


Please enter your comment!
Please enter your name here