Chinese-speaking cybercrime group Rocke, known for operating multiple large-scale malicious crypto-mining campaigns, has now switched to new Tactics, Techniques, and Procedures (TTPs), including new C2 infrastructure and updated malware to evade detection.
Rocke is a financially motivated threat group first spotted in April 2018 by Cisco Talos researchers while exploiting unpatched Apache Struts, Oracle WebLogic, and Adobe ColdFusion servers, and dropping cryptomining malware from attacker-controlled Gitee and GitLab repositories.
During January, Palo Alto Network’s Unit 42 team found code that uninstalls multiple cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud from Linux servers, after analyzing new Rocke malware samples.
Rocke’s new malware targeted local agents added by Tencent Host Security and the Threat Detection Service from Alibaba Cloud as Unit 42discovered.
New Rocke C2 infrastructure
In March Rocke was observed switching to a new Golang-based dropper dubbed LSD that used Pastebin for command and control (C2) as Anomali Labs researchers discovered while monitoring the group’s activities throughout this year.
This new malware strain is designed to help them set up Monero (XMR) cryptojacking operations on compromised systems, to almost non-existent detection rates and to help the threat group move away from malicious tools developed using Python.
One month later, Rocke started exploiting CVE-2019-3396 in vulnerable Confluence servers to execute malicious code remotely, subsequently dropping cryptominer payloads as reported on Atlassian’s user forums.
During the summer, in late July, the hackers switched to self-hosted C2 infrastructure which allowed them to host the cryptomining configuration scripts on their servers, thus removing the risk of having parts of their operation taken down.