{ "id": "935a3437-c2cf-4142-b494-e2319feb6d53", "created_at": "2026-04-06T00:09:40.918307Z", "updated_at": "2026-04-10T03:32:46.234129Z", "deleted_at": null, "sha1_hash": "7c9e77a1b35fc58925a2c8a7a52eb0a48b7f9b68", "title": "Pro-Ocean: Rocke Group’s New Cryptojacking Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1701667, "plain_text": "Pro-Ocean: Rocke Group’s New Cryptojacking Malware\r\nBy Aviv Sasson\r\nPublished: 2021-01-28 · Archived: 2026-04-05 13:36:31 UTC\r\nExecutive Summary\r\nIn 2019, Unit 42 researchers documented cloud-targeted malware used by the Rocke Group to conduct\r\ncryptojacking attacks to mine for Monero. Since then, cybersecurity companies have had the malware on their\r\nradar, which hampered Rocke Group’s cryptojacking operation. In response, the threat actors updated the\r\nmalware.\r\nHere, we uncover a revised version of the same cloud-targeted cryptojacking malware, which now includes new\r\nand improved rootkit and worm capabilities. We also detail the hiding techniques used by the malware to dodge\r\ncybersecurity companies’ detection methods, while explaining its four-module structure. We’ve named the\r\nmalware Pro-Ocean after the name the attacker chose for the installation script.\r\nPro-Ocean uses known vulnerabilities to target cloud applications . In our analysis, we found Pro-Ocean targeting\r\nApache ActiveMQ (CVE-2016-3088), Oracle WebLogic (CVE-2017-10271) and Redis (unsecure instances). In\r\nthe case that the malware runs in Tencent Cloud or Alibaba Cloud, it will use the exact code of the previous\r\nmalware to uninstall monitoring agents to avoid detection. Additionally, it attempts to remove other malware and\r\nminers including Luoxk, BillGates, XMRig and Hashfish before installation. Once installed, the malware kills any\r\nprocess that uses the CPU heavily, so that it’s able to use 100% of the CPU and mine Monero efficiently.\r\nPalo Alto Networks Prisma Cloud customers are protected from Pro-Ocean through the Runtime Protection and\r\nCryptominers Detection features.\r\nThe Malware\r\nAlthough Pro-Ocean attempts to disguise itself as benign, it packs an XMRig miner, which is notorious for its use\r\nin cryptojacking operations. The miner seeks to hide using several obfuscation layers on top of the malicious code:\r\n1. The binary is packed using UPX. This means that the actual malware is compressed inside the binary and is\r\nextracted and executed during the binary execution.\r\n2. Advanced static analysis tools can unpack UPX binaries and scan their content. However, in this case, the\r\nUPX magic string has been deleted from the binary, and therefore, static analysis tools cannot identify this\r\nbinary as UPX and unpack it.\r\n3. The modules are gzipped inside the unpacked binary.\r\n4. The XMRig binary is inside one of the gzipped modules and is also packed by UPX and does not have the\r\nUPX magic string.\r\nhttps://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/\r\nPage 1 of 9\n\nFigure 1. Obfuscation layers.\r\nPro-Ocean targets several typical cloud applications including Apache ActiveMQ, Oracle Weblogic and Redis,\r\nwith an emphasis on cloud providers based in China including Alibaba Cloud and Tencent Cloud. It is written in\r\nGo and compiled to an x64 architecture binary. It contains four modules that deploy during execution -- hiding,\r\nmining, infecting and watchdog. Each module contains some files written in various languages (C, Python or\r\nBash) and a Bash script that executes it.\r\nThe Modules\r\nThe four modules of Pro-Ocean are gzipped inside the binary and are extracted and executed one after the other by\r\nfour different functions.\r\nFigure 2. The four main functions.\r\nhttps://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/\r\nPage 2 of 9\n\nFigure 3. Malware architecture.\r\nHiding Module (Rootkit Capabilities)\r\nThe hiding module is responsible for concealing Pro-Ocean’s malicious activity. It uses a native Linux feature,\r\nLD_PRELOAD. LD_PRELOAD forces binaries to load specific libraries before others, allowing the preloaded\r\nlibraries to override any function from any library. One of the ways to use LD_PRELOAD is to add the crafted\r\nlibrary to /etc/ld.so.preload.\r\nThis way, once executed, binaries will load this library and use its functions instead of the functions in the default\r\nlibraries. This feature is commonly abused by other malware.\r\nDuring execution, the hiding module compiles a C file into a library and adds it to /etc/ld.so.preload. This library\r\ncontains many functions that are usually exposed by libc, including open, opendir, readdir, stat, access and much\r\nmore. These functions use the real libc functions while altering the returned data in order to hide any information\r\nthat exposes Pro-Ocean (e.g. malicious files or processes). In some cases, they even return forged data when\r\naccessing a specific file such as /proc/stat.\r\nhttps://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/\r\nPage 3 of 9\n\nAs in the previous version of the malware, the code uses Libprocesshider, a library for hiding processes. However,\r\nin addition, it looks like the developer of this code gathered several code snippets from the internet and added\r\nthem in order to gain more rootkit capabilities.\r\nFor example, let's take a look at the libc function open. This function opens a file and returns its file descriptor, but\r\nsomething else happens once the malicious library is loaded.\r\nFigure 4. Modified open function.\r\nBefore calling open, the malicious function will determine whether the file in question needs to be hidden to\r\nobfuscate malicious activities. If it determines that the file needs to be hidden, the malicious function will return a\r\n“No such file or directory” error, as if the file in question does not exist.\r\nBesides that, in this module, Pro-Ocean will try to gain persistence by copying itself into numerous locations,\r\ncreate a new malicious service that will execute the malware in case it is not running and add several cron jobs\r\nthat will do the same thing periodically.\r\nMining Module\r\nThe mining module is the reason Pro-Ocean exists in the first place. Its goal is to mine Monero into the attacker’s\r\nwallet, and it does so by deploying an XMRig miner 5.11.1 and a JSON configuration, then starting to mine. This\r\nis a common operation for cryptojacking malware.\r\nInfection Module (Worm Capabilities)\r\nBehaving differently than they chose to in the previous version of the malware, the Rocke Group does not exploit\r\nvictims manually with Pro-Ocean. Instead, this version of the malware uses a Python infection script that gives it\r\n\"worm\" capabilities. This script retrieves the machine’s public IP by accessing an online service that does so in the\r\naddress \"ident.me\" and then tries to infect all the machines in the same 16-bit subnet (e.g. 10.0.X.X). It does this\r\nby blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit.\r\nhttps://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/\r\nPage 4 of 9\n\nFigure 5. Infection scanning loop.\r\nOnce it finds unpatched software and exploits it, the Python script sends a payload that will download an\r\ninstallation script from a malicious HTTP server, which will do some preparations and install Pro-Ocean.\r\nThe list of vulnerable software that Pro-Ocean exploits includes:\r\n1. Apache ActiveMQ – CVE-2016-3088.\r\n2. Oracle WebLogic – CVE-2017-10271.\r\n3. Redis – unsecure instances.\r\nThis list is not finite (meaning Pro-Ocean targets all cloud applications) since the malware is downloaded to the\r\nvictim from a remote server during the infection. Thus it can be changed, and additional exploits or other upgrades\r\ncould be added.\r\nFigure 6. Infection process.\r\nInstallation Script\r\nhttps://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/\r\nPage 5 of 9\n\nThe installation script has a crucial role, and it lays the groundwork for Pro-Ocean before installing it by doing\r\nseveral things. It is written in Bash and is obfuscated. By observing it, we can conclude that two of the malware’s\r\ntargets are Alibaba Cloud and Tencent Cloud.\r\nIt works in this order:\r\n1. Attempt to remove other malware and miners including Luoxk, BillGates, XMRig, Hashfish and more. It\r\ndoes this by running the “grep” command searching for other processes and network connections and then\r\nterminates them if found.\r\n2. Erase all of the cron tasks to make sure that other malware will not be able to recover.\r\n3. Disable the iptables firewall so that the malware will have full access to the internet.\r\n4. In the case that the malware runs in Tencent Cloud or Alibaba Cloud, it will use the exact code of the\r\nprevious malware to uninstall monitoring agents to avoid detection.\r\n5. Look for SSH keys and attempt to use them in order to infect new machines.\r\nFigure 7. Uninstall the cloud monitoring agents.\r\nAfter laying the groundwork, the installation script will determine the machine CPU architecture and try to\r\ndownload the corresponding binary using various tools including curl, wget, python2, python3 and PHP.\r\nhttps://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/\r\nPage 6 of 9\n\nFigure 8. Obfuscated code that downloads the malware.\r\nWatchdog Module\r\nPro-Ocean contains a watchdog module written in Bash. It executes two Bash scripts with different purposes.\r\n1. program__kill30 – This script loops forever and searches for processes that utilize more than 30% of the\r\nCPU (not including the malware processes). Once found, it kills them. The malware’s goal is to use 100%\r\nof the CPU and mine Monero efficiently, so it kills any process that uses the CPU heavily.\r\n2. Program__daemonload – This process loops forever and checks that the malware is running. If not, it runs\r\nit.\r\nConclusion\r\nCryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to\r\nmine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an\r\nongoing, growing threat. This cloud-targeted malware is not something ordinary since it has worm and rootkit\r\ncapabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue.\r\nThis malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be\r\nenough to prevent evasive malware targeted at public cloud infrastructure. As we saw, this sample has the\r\ncapability to delete some cloud providers’ agents and evade their detection (Figure 7).\r\nPalo Alto Networks Prisma Cloud customers are protected from Pro-Ocean through the Runtime Protection and\r\nCryptominers Detection features.\r\nhttps://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/\r\nPage 7 of 9\n\nFigure 9. Prisma Cloud incident alert.\r\nIOCs\r\nURLs\r\nhxxp://shop.168bee[.]com/*\r\nhxxps://shop.168bee[.]com/*\r\nMining Pool\r\nhxxp://pool.minexmr[.]com\r\nFiles\r\nSHA-256 Hash Filename\r\n4ff33180d326765d92e32ec5580f54495bfcdd58a85f908a7ece8d0aedbe5597 pro__autolk.sh\r\n220c2ebacafde95ebf4af12bf0d8eedb6004edd103ecb1d6363e7eb5a3e62c01 pro__automig.sh\r\na81424ec81849950616f932c79db593147b8a01cc6d06d279fd05d61103abdb7 pro__autorkt.sh\r\n070afdbb4c2c9e499d55cb8fbc08f98e95725b98682586d42f84fd7181eae1cb pro__autoscan.sh\r\n0a3898da2c6e31f1eed4497c4e4e3cf24138981f35cb3d190b81ba4b24ab3df0 pro__cfg\r\n26a126fd5cd47b62bb5ae3116a509caf84da1ccd414e632f898aec0948cb0dbf pro__wlib.c\r\n37e1c05cc683bac5fe97763023a228a4ca4e0439acc94695724f67b7e0275ece proc__bioset.sh\r\nd3e95ae2f01be948dd11157873b3c84cb3e76dea1b382bcfb2c0cb09a949497c proc__o0mig\r\n713b5447a51a4b930222491a2dfb5b948a5da6860d80cd8663c99432c1e0812f proc__scanr.py\r\n0f7abdceae4353c4a6a8ed6b5d261df0f94c2c52709dd50d38003192492e7d3b pro__o0cean\r\nbfea86bb68b51c6875d541c92bb48b38298982efbe12cf918873642235b99eeb pro__o0cean\r\nhttps://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/\r\nPage 8 of 9\n\n575945f6f5149dc48c4a665fcab0cbdbedec1e18b887abe837ed987a7253ad02 proc__sysagent.service\r\nabb36bc19b82a026f7d70919c64ed987ebb71420b04bb848275547e99da485bd .program__daemonload\r\n7888925fe143add65f2ad928a7ee4e4b864d421fde57fac0cb2b218e70fe4d31 .program__kill30\r\nTable 1. Malicious files hashes\r\nSource: https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/\r\nhttps://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/" ], "report_names": [ "pro-ocean-rocke-groups-new-cryptojacking-malware" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "e4389aca-6209-443d-9fdc-7ad01c36e3b4", "created_at": "2023-01-06T13:46:39.07782Z", "updated_at": "2026-04-10T02:00:03.205516Z", "deleted_at": null, "main_name": "luoxk", "aliases": [], "source_name": "MISPGALAXY:luoxk", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434180, "ts_updated_at": 1775791966, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7c9e77a1b35fc58925a2c8a7a52eb0a48b7f9b68.pdf", "text": "https://archive.orkl.eu/7c9e77a1b35fc58925a2c8a7a52eb0a48b7f9b68.txt", "img": "https://archive.orkl.eu/7c9e77a1b35fc58925a2c8a7a52eb0a48b7f9b68.jpg" } }