Security News > 2021 > February > New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers
A financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research.
Deployed by the China-based cybercrime group Rocke, the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers said in a Thursday write-up.
"In our analysis, we found Pro-Ocean targeting Apache ActiveMQ, Oracle WebLogic and Redis."
While prior variants of the malware banked on the capability to target and remove cloud security products developed by Tencent Cloud and Alibaba Cloud by exploiting flaws in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion, Pro-Ocean has expanded the breadth of those attack vectors by aiming at Apache ActiveMQ, Oracle WebLogic, and Redis servers.
Besides its self-spreading features and better hiding techniques that allow it to stay under the radar and spread to unpatched software on the network, the malware, once installed sets about uninstalling monitoring agents to dodge detection and removing other malware and miners from the infected systems.
"This malware is an example that demonstrates that cloud providers' agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure," Unit 42 researcher Aviv Sasson said.
News URL
Related news
- Hackers target Docker, Hadoop, Redis, Confluence with new Golang malware (source)
- Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining (source)
- DinodasRAT malware targets Linux servers in espionage campaign (source)
- Researchers sinkhole PlugX malware server with 2.5 million unique IPs (source)