Hello, welcome to the Friday, January 29th, 2021 edition of the Sansanet Storm Center's Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

Palo Alto is alerting off a new cryptojacking script that they're calling ProOcean and tribute to the Rock Crew, because

it is very similar to an earlier tool that was released by this crew.

Now, crypto jacking, crypto mining, Malware is of course not really all that new.

This one is a little bit more sophisticated than some of the others that I've seen.

It's going after relatively straightforward vulnerability, like the Apache Active MQ1,

the Oracle WebLogic vulnerability, and then just unsecured Redis instances, but none of these

vulnerabilities is terribly new there from 2016 and 2017. They do target specifically

servers hosted within cloud providers, and they're in particular Chinese cloud providers like

Tencent and Alibaba.

To me it looks like they're pretty much mostly going after systems that are no longer maintained.

Maybe there is a little bit of pattern by trying old vulnerabilities to hit unmaintained machines, because

this particular malware will not just kill competing malware, which is quite common, but it

will also kill other software that uses a lot of CPU.

So if you have some legitimate software running on the host,

you should probably notice that it's all for a sudden stopped running. It uses the standard

XM Rick package in order to mine Monero and another little twist. It then also goes out and tries to infect other systems within the same slash 16 network.

And again, given that, they appear to be targeting systems within specific cloud providers.

This makes a lot of sense.

They probably try to stay within the IP address space that this cloud provider uses.

Palo Alto did publish respective indicators of compromise, but really just watching CPU load and such

probably should do a good job to detect this particular malware.

...