New Pro-Ocean malware worms through Apache, Oracle, Redis servers

The financially-motivated Rocke hackers are using a new piece of cryptojacking malware called Pro-Ocean to target vulnerable instances of Apache ActiveMQ, Oracle WebLogic, and Redis.

The new malware is a step up from the previous threat used by the group in that it comes with self-spreading capabilities, blindly throwing exploits at discovered machines.

Hiding malicious activity

Rocke cryptojacking hackers have not changed their habit of attacking cloud applications and leverage known vulnerabilities to take control of unpatched Oracle WebLogic (CVE-2017-10271) and Apache ActiveMQ (CVE-2016-3088) servers. Unsecured Redis instances are also on the list.

Researchers at Palo Alto Networks analyzing the malware say it includes “new and improved rootkit and worm capabilities” that allow it to hide malicious activity and spread to unpatched software on the network.

To stay under the radar, Pro-Ocean uses LD_PRELOAD, a native Linux feature that forces binaries to prioritize the loading of specific libraries. The method is not new and is constantly seen in other malware.

The new part is that the developers took the rootkit capabilities further by implementing publicly available code that helps conceal malicious activity.

One example relates to the ‘open’ function of the ‘libc’ library, tasked with opening a file and returning its descriptor. The researchers discovered that the malicious code determines if a file needs to be hidden before calling ‘open.’

source: Palo Alto Networks

“If it determines that the file needs to be hidden, the malicious function will return a “No such file or directory” error, as if the file in question does not exist” – Palo Alto Networks

Crude self-spreading mechanism

The actors behind Pro-Ocean have also moved from manually exploiting victims to an unrefined automated process. A  Python script takes the infected machine’s public IP address using the service and then tries to infect all machines in the same 16-bit subnet.

There is no selection in the process and the attackers simply throw public exploits at the discovered hosts hoping that one of them sticks.

source: Palo Alto Networks

If there is successful exploitation,…