Pro-Ocean-Cloud Malware

 

Pro-Ocean-Cloud Malware
 

The China-based cybercrime group Rocke, which is the best-known threat actor engaged in cryptomining operations targeting the cloud.The activities of Rocke, aka the Iron Group, SystemTen, Kerberods/Khugepageds, and even ex-Rocke, were originally reported in August 2018. Rocke was initially associated with ransomware campaigns using its Linux-focused Xbash tool, a data-destruction malware similar in functionality to NotPetya. NotPetya used the EternalBlue exploit to propagate across a network. Xbash performed lateral movement by leveraging an organization’s unpatched vulnerabilities and use of weak passwords, which potentially limited its overall effectiveness.
Pro-Ocean is a revised version of cloud-targeted cryptojacking malware with improved rootkit and worm capabilities. Pro-Ocean uses known vulnerabilities to target cloud applications. It contains four modules that deploy during execution — hiding, mining, infecting, and watchdog. Each module contains some files written in various languages (C, Python, or Bash) and a Bash script that executes it.

Indicators of Compromise

URLs:

hxxp://shop.168bee[.]com/*
hxxps://shop.168bee[.]com/*
hxxp://pool.minexmr[.]com

 
Hashes 

   
4ff33180d326765d92e32ec5580f54495bfcdd58a85f908a7ece8d0aedbe5597   
220c2ebacafde95ebf4af12bf0d8eedb6004edd103ecb1d6363e7eb5a3e62c01   
a81424ec81849950616f932c79db593147b8a01cc6d06d279fd05d61103abdb7   
070afdbb4c2c9e499d55cb8fbc08f98e95725b98682586d42f84fd7181eae1cb   
0a3898da2c6e31f1eed4497c4e4e3cf24138981f35cb3d190b81ba4b24ab3df0   
26a126fd5cd47b62bb5ae3116a509caf84da1ccd414e632f898aec0948cb0dbf   
37e1c05cc683bac5fe97763023a228a4ca4e0439acc94695724f67b7e0275ece   
d3e95ae2f01be948dd11157873b3c84cb3e76dea1b382bcfb2c0cb09a949497c   
713b5447a51a4b930222491a2dfb5b948a5da6860d80cd8663c99432c1e0812f   
0f7abdceae4353c4a6a8ed6b5d261df0f94c2c52709dd50d38003192492e7d3b   
bfea86bb68b51c6875d541c92bb48b38298982efbe12cf918873642235b99eeb   
575945f6f5149dc48c4a665fcab0cbdbedec1e18b887abe837ed987a7253ad02   
abb36bc19b82a026f7d70919c64ed987ebb71420b04bb848275547e99da485bd   
7888925fe143add65f2ad928a7ee4e4b864d421fde57fac0cb2b218e70fe4d31

Comments

Post a Comment

Popular posts from this blog

Revil Ransomware Targeted Kaseya

Image
  Revil Ransomware Targeted Kaseya   REvil is a ransomware-as-a-service (RaaS), delivered by “affiliate” actor groups who are paid by the ransomware’s developers. The REvil actors launched a malicious update package that targeted customers of managed service providers and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform.   Indicators of Compromise URLs/Domains: architekturbuero-wagner.net mindpackstudios.com vitavia.lt bouncingbonanza.com lukeshepley.wordpress.com igfap.com bockamp.com levihotelspa.fi exenberger.at tinyagency.com familypark40.com alfa-stroy72.com boompinoy.com mdacares.com architecturalfiberglass.org slupetzky.at sinal.org qualitus.com deepsouthclothingcompany.com groupe-frayssinet.fr synlab.lt kamienny-dywan24.pl ilcdover.com humancondition.co...
Read more

Buer Loader provides malware-as-a-service

Image
  Buer Loader provides malware-as-a-service       Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader. “A new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). Indicators of Compromise File Hashes 10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1 32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5 5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4   6c7f43434e5db8703c0a47dedeeab976159d8704bfb...
Read more

BANDOOK(RAT)

Image
    BANDOOK(RAT)-Malware   The payload in this attack is a variant of an old full-featured RAT named Bandook. Written in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially available RAT that was developed by a Lebanese individual nicknamed PrinceAli.Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server sends basic information about the infected machine and waits for additional commands from the server. Indicators of Compromise File Hash MD5 27f8d8bbbeeda5fc439ee18d9d4da343 44584c8d010242fddb44afe5ce860872 a6501c62b3a6ffa8d028a88138fe509f 7c15ee5b9a12dacaace8fb62271f12f1 4e9e12c98cfbc5f3aa3c1345bd063fa0 7ef261c151519e66ec369c63e4b1aed4 6effed1b1bb5e9ed6aafacb075c1d4e2 0475771b8bc3efc28b1834f3add608f3 045ce6679ed4086e2ded58470e24c15a 28ad9ace11919b57bf54...
Read more