Chinese-speaking cyber-crimes group Rocke, known for running multiple large-scale malicious cripto-mining campaigns, has now switched to new Tactics, Techniques and Procedures (TTPs).
Rocke is an economically motivated group of threats first discovered in April 2018 by the researchers of the Cisco Talos team when targeting unpatched Apache Struts, Oracle WebLogic and Adobe ColdFusion servers.
The Unit 42 group of Palo Alto Network discovered in January that, after testing new Rocke samples, it uninstalls several cloud protection and surveillance products produced by Tencent and Alibaba Cloud on Linux servers.
Rocke’s latest malware attacked local agents that were discovered by Tencent Host Security and Alibaba Cloud’s Threat Detection Service Unit 42.
Uninstalling cloud security and monitoring products
In March the Rocke network was replaced with a new Golang-based dropper known as LSD, which used Pastebin for command and control (C2) as researchers in Anomali Labs have discovered in the community during the entire year.
A latest malware strain was designed to help them install Monero (XMR) cryptojacking operations on compromised systems at nearly non-existent levels of detection and to help the risk community move away from Python’s malicious devices.
LSD dropper detection rates
One month later, Rocke began operating CVE-2019-3396 in Confluence compromised servers to remotely execute malicious code, thereafter dropping payloads for crypto miners in Atlassian client fora.
In the summer, the hackers moved to a self-hosted C2 infrastructure in late July, allowing them to host the encrypting setup scripts on its servers, thus eliminating the risk of part of the operation being downgraded.
DNS queries for Rocke servers hosting setup scripts
Last month, Rocke changed its TTP and moved text records to Domain Name System (DNS) to store its cryptomining setup scripts instead of Pastebin pastes.
“With standard DNS queries or DNS-over-HTTPs, if a DNS request fails, these records are accessed,” adds Anomali Labs document.
Malware loader patched and enhanced
“In addition to C2-change features have also been introduced for their LSD malware to operate CVE-2016-3088-vulnerable ActiveMQ servers.” LSD malware from Rocke will also hunt and kill any CPU-intensive process that runs on compromise computers, although it will first make sure that its cryptominers are not killed by comparing their MD5 hash to hardcoded.
Detecting Rocke miners
The new LSD sample which gets its mining config scripts “128-bit AES in cipher-block-chaining (CBC) and base64 encoded” TXT records via DoH requests is released on September 17.
“Rocke continues to evolve its TTPs in an effort to remain undetected. The actor is more protected against potential downsizing that can prevent malicious activities by moving from hosting scripts on the PastebIN to hosted and DNS records,” concludes Anomali Labs.
“The team is likely to exploit new vulnerabilities to mine other cryptocurrencies in the near future.” There is a collection of vulnerability indicators (IOCs) and an ATT&CK Index describing the tactics used by the cybercrime gang at the end of the Anomali Labs ‘ Rocke study this year.
Combating Web Supremacy
Rocke was also discovered in May, targeting the cryptomists of another cryptojacking group known as “Pacha Community,” a Chinese group of hackers profiled by Interzer Labs, while promoting Linux. GreedyAntd, a crypto-currency mining malware that was first spotted in September 2018.
All hacking firms are involved with large-scale malicious cryptomining operations and have hunted each other as part of an ongoing fight to exploit vulnerable cloud-based networks, as Intezer Labs ‘ research team revealed.
The Pacha Group “started a cryptominator assault on services like WordPress and PhpMyAdmin, or used a well-known feat for an outdated version of similar services,” Intezer Labs said at the time.
The malware used by the Rocke group in campuses dating back to April 2018 for cryptocurrency also has a “kill list” to help detect and shut down cryptojacking malware previously running.
Pacha Group has also added a list of hardcoded IP addresses to the blacklist of Linux. GreedyAntd as found by Intezer Labs to block Rocke cryptographers by routing their traffic back to the infected machines, preventing them from entering the mining pools.
The malware strains of both groups also share the ability to look up and disable Alibaba Cloud’s cloud protection and monitoring services, the integrated support for the Lightweight Libprocessor rootkit, and the ability to use the same classic vulnerability[ 1, 2, 3, 4].
Since both parties were observed when actively targeting cloud infrastructure to conduct cryptojacking operations, the only people who misuse insecure cloud systems were their dispute.