VTA-00356 – Pro-Ocean Cryptojacking Malware:
1. CVE-2016-3088: The affected versions are, Apache ActiveMQ 5.0.0 – 5.13.x. The fileserver feature has been completely removed on the version 5.14.0. Users are advised to use other FTP and HTTP based file servers for transferring blob messages.
2. CVE-2017-10271: Apply the latest patch for the products with versions 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0. More information regarding the patch and workarounds can be found on:
3. Ensure Redis is configured and running on ‘protected mode’ configuration.
4. Configure the IOC information provided below into your current network, perimeter and endpoint threat defense mechanisms e.g. Endpoint Advanced Threat Protection (ATP), Network Firewall, Web Application Firewall (WAF), Email and Web Content Filtering Policies, where applicable.
5. Download and install OTX Endpoint Security. Subscribe to Provintell-Lab’s OTX pulses and scan endpoints for the presence of IOCs
Pro-Ocean Cryptojacking Malware is a new malware used by the Chinese APT group called “Rocke”. This malware attacks cloud based applications and is used to mine Monero cryptocurrencies once compromised. The main method of propagation is based on three known vulnerabilities which are, Apache ActiveMQ (CVE-2016-3088), Oracle WebLogic (CVE-2017-10271) and Redis (unsecure instances). The malware itself is written in Go programming language and contains four modules which are deployed during execution.
The modules contained are hiding, mining, infecting and watchdog. The hiding modules is used to create a rootkit in the infected machine and also installing malicious services onto the machine. The malware will utilize Linux features to force malicious binaries to be preloaded before others and also use certain libraries to hide processes. For the mining module, XMRig miner will be loaded into the machine to perform the action. In the infecting module, a script will be utilized to gather the public IP address of the infected machine and then proceed to blindly execute the three public exploits which are used in the initial infection.
Once the other sites are found infected, the script will then send a payload to download an installation script in order to download the malware. The installation script will first remove any other malware in the system, delete all cron task, disable firewalls, uninstall monitoring agents and also find for SSH keys in the system. After that the Pro-Ocean malware will be downloaded into the system. The watchdog module is a script which kills any processes using 30% of CPU usage so that the miner is able to fully utilize the CPU for the mining process. There is also a process which loops forever to check if the malware is running and then starts it if it is closed.
Defense Evasion, Discovery, Execution, Impact, Lateral Movement,
Persistence, Privilege Escalation
Remote Services: SSH
Obfuscated Files or Information: Software Packing
Scheduled Task/Job: Cron
Command and Scripting Interpreter: Unix Shell
Exploitation for Privilege Escalation
Deobfuscate/Decode Files or Information
Exploitation of Remote Services
Cloud Infrastructure Discovery
Impair Defenses: Disable or Modify System Firewall
Lateral Tool Transfer
Indicator of Compromise (IOC) Detection:
Contributed by: Riven