Cybersecurity Researchers Identifies an Updated Variant of 'Pro-Ocean' Malware


Cybersecurity experts have discovered an updated version of ‘Pro-Ocean malware’, this malware was used as a weapon by a cybercriminal gang called Rocke Group to target cloud infrastructure with crypto-jacking strikes.

Cybersecurity experts first discovered the Pro-Ocean malware in 2019 and it has evolved to be even more deadly due to its worm capabilities and rootkit detection evasion features. Aviv Sasson with Palo Alto Networks stated that "this malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure."

The Rocke Group has expanded its targeting of cloud applications such as Oracle WebLogic, ActiveMQ, and open-source data structure store Redis for mining Monero. Pro-Ocean malware has been on the radar of many cybersecurity firms since these attacks occurred. The latest malware targets to bypass these detection and mitigation efforts.

Pro-Ocean malware exploits various known vulnerabilities to target cloud applications which includes a severe flaw in Apache ActiveMQ (CVE-2016-3088) and a high severity susceptibility in Oracle WebLogic (CVE-2017-10271). The malware is also known to target vulnerable instances of Redis. After the malware is downloaded it strives to detach other malware and cryptominers, including BillGates, XMRig, Luoxk, and Hashfish. Once downloaded, it kills any process that utilizes the CPU heavily so that it is capable of using 100% of the CPU and mine Monero effectively.

Pro-Ocean malware has four components: A rootkit module that downloads a rootkit and various other malicious services; a mining module that operates the XMRig miner; a Watchdog module that implements two Bash scripts (for checking that the malware is operating and finding out any processes using CPU heavily); and an infection module that carries ‘worm’ capabilities. The latest ‘worm’ feature is a new inclusion for Pro-Ocean malware, which previously have targeted the victims manually, Python infection script is now used by malware to acquire the public IP address of the victim’s machine.

Pro-Ocean malware does this to secure online service with the domain ‘’ which extends out IP addresses for various web servers and then the script attempts to corrupt all the machines in the same 16-bit subnet (e.g., 10.0.X.X).

In this regard, cybersecurity researchers explained that “cryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware is not something ordinary since it has worm and rootkit capabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue”.