Pro-Ocean Malware

Infosec researchers have been following the Pro-Ocean Malware threat ever since it was first discovered back in 2019. Since then, the malware has seen several updates that have expanded its threatening functionalities, as well as its detection-avoidance abilities. In the latest versions that have been observed in the wild, the malware appears to now have also been equipped with a worm-like spreading routine.

The Pro-Ocean Malware is part of the criminal activities of a gang of hackers called Rocke Group. Their main targets are cloud-infrastructures whose hardware is then hijacked and used for crypto-mining. The initial range of targets has been expanded to include Apache ActiveMQ, Oracle WebLogic, and Redis, an open-source data structure store. As an infection vector, the Pro-Ocean Malware uses known vulnerabilities in specific cloud applications, such as the CVE-2016-3088 critical flaw found in Apache ActiveMQ and the severe CVE-2017-10271 vulnerability in Oracle WebLogic.

Once inside, Pro-Ocean activates and begins to modify the environment to better suit its needs. First, it gets rid of any potential competition for resources by removing other crypto-mining malware strains - Luoxk, BillGates, XMRig and Hashfish. Any legitimate CPU-intensive processes also will be terminated. When space has been cleared, Pro-Ocean deploys its own XMRig payload that utilizes the CPU to the available maximum and begins to generate Monero coins immediately.

Pro-Ocean is Still being Developed

The latest versions of Pro-Ocean consist of four different components. Two of them have remained untouched largely - the mining module responsible for running the XMRig payload and the Watchdog module equipped with two Bash scripts tasked with searching for CPU-heavy process, which make sure that the malware itself is running. The other two components, however, exhibit some new abilities.

Pro-Ocean now has an infection module that allows it to spread in a manner similar to a worm. A Python script is used to first acquire the infected machine's public IP address through the use of an online service located at 'ident.me' and then to infect other devices within the same 16-bit subnet. The script runs all of its vulnerability exploits one after the other waiting to see if any of them will successfully breach an unpatched version of the respective software product.

The last component of Pro-Ocean is a rootkit module. As the name suggests, its main task is to deploy a rootkit threat. However, the hackers from the Rocke Group have now added new stealth capabilities to it that mask the threatening activity of the threat. The new features' code was added to a dedicated library called 'Libprocesshider' that was already present in the older Pro-Ocean versions. One of the new techniques determines whether the file needs to be hidden when a libc function open has been called. If the activities of the threat have to be obfuscated, a 'No such file or directory' error will be returned, creating the impression that the file in question simply doesn't exist on the machine.