The Rocke hacker group attacked a number of unpatched cloud servers using the new Pro-Ocean malware for covert cryptocurrency mining. The Palo Alto Networks researchers report this.
The malware exploits known vulnerabilities to take control of the Apache ActiveMQ message broker (CVE-2016-3088), the Oracle WebLogic application server (CVE-2017-10271), and the Redis database management system.
Before installing Pro-Ocean, it attempts to remove other malware and miners from the victim’s device, including Luoxk, BillGates, XMRig and Hashfish. It then disables all CPU-intensive applications, diverting the freed power to Monero mining.
It is also able to remove monitoring agents that could detect anomalous activity.
“Pro-Ocean is equipped with enhanced rootkit and worm features that allow it to hide activity and spread across the attacked subnet,” researchers noted.
According to Aqua Security, 95% of attacks on compromised cloud servers are aimed at covert cryptocurrency mining.
Back in October 2020, a new version of the Black-T malware for covert Monero mining was able to steal passwords and stop competing programs.
Subscribe to the ForkLog channel on YouTube.