Recently, security researchers have detected an updated malware brought to action by the Rocke group. The threat actor Rocke was first reported in late July 2018 and is known for targeting cloud infrastructures with cryptojacking attacks. The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines.
The updated malware is called Pro-Ocean and it was first discovered in 2019. The latest version of the malware has got “worm” capabilities and rootkit detection-evasion features. It has a four-module structure, consisting of a rootkit module, a mining module, a Watchdog module, and an infection module. The malware has been used to exploit known vulnerabilities to target applications such as Oracle WebLogic , Apache ActiveMQ , and Redis (unsecured instances).
The malware basically uses a Python infection script to utilize its newly added worm capabilities while the rootkit capabilities are used to conceal the malicious activities. Moreover, it also uninstalls monitoring agents to avoid detection, attempts to remove other malware and miners before installation, and after installation kills any process that uses the CPU heavily.