16 October 2019

Chinese cybercrime group Rocke uses new tactics to evade detection

Chinese cybercrime group Rocke uses new tactics to evade detection

Chinese-speaking cybercrime group Rocke, which is believed to be responsible for several large-scale cryptomining campaigns in past, is now using new Tactics, Techniques, and Procedures (TTPs), including new C2 infrastructure and updated malware in order to evade detection.

First reports on group’s illicit cryptomining operations emerged in August 2018, when Rocke attacked unpatched Apache Struts, Oracle WebLogic, and Adobe ColdFusion servers and infected compromised servers with cryptomining malware. Earlier this year researchers from Palo Alto Networks Unit42 discovered new malware samples used by the hackers for cryptojacking that uninstall from Linux servers cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud. In March, the threat actor was using a dropper dubbed LSD that was controlled via Pastebin, but this summer Rocke has switched to a new Command and Control (C2) infrastructure moving away from Pastebin in favor of a self-hosted solution, according to researchers from cybersecurity outfit Anomaly.

“In September 2019, the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. These records are accessed via normal DNS queries or DNS-over-HTTPs (DoH) if the DNS query fails,” the experts said. The use of self-hosted and DNS records makes it hard to detect the group’s malicious operations and takedowns, they added.

In the previous campaigns the Rocke group was observed exploiting the CVE-2019-3396 flaw in Confluence servers to get remote code execution and deliver the miners, but recently the attackers added a new functionality to their LSD malware to exploit ActiveMQ servers vulnerable to CVE-2016-3088. CVE-2016-3088 is a vulnerability in ActiveMQ that can allow uploading of an arbitrary file.

To ensure that only its cryptomining malware runs on the infected host, the group tries to terminate all other processes with high CPU usage. The LSD malware identifies its miner via the MD5 hash of the file to make sure it doesn’t kill its miner.

“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity. It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future,” the researchers concluded.

Additional details about Rocke’s activity, including Indicators of Compromise (IoCs) are available in the Anomaly blog post.

Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019