Chinese-speaking cybercrime gang Rocke changes tactics

Chinese-speaking cybercrime gang Rocke that carried out several large-scale cryptomining campaigns, has now using news tactics to evade detection.

Chinese-speaking cybercrime gang Rocke, that carried out several large-scale cryptomining campaigns in past, has now using news tactics to evade detection. The group has been observed using new tactics, techniques, and procedures (TTPs), it is also using updated malware to evade detection.

The cybercrime organization was first spotted in April 2018 by researchers at Cisco Talos, earlier 2019 researchers from Palo Alto Networks Unit42 found new malware samples used by the Rocke group for cryptojacking that uninstalls from Linux servers cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud.

In March, the group was using a dropper dubbed LSD that was controlled via Pastebin, but since this summer the threat actors have changed Command and Control (C2) infrastructure using a self-hosted solution.

The malicious code is used by the hackers to deliver a Moner (XMR) crypto miner that is not detected by almost any antivirus solution.

The Rocke group was also observed exploiting the CVE-2019-3396 flaw in Confluence servers to get remote code execution and deliver the miners.

“Rocke, a China-based cryptomining threat actor, has changed its Command and Control (C2) infrastructure away from Pastebin to a self-hosted solution during the summer of 2019.” reads the analysis published by the security firm Anomaly. “the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. These records are accessed via normal DNS queries or DNS-over-HTTPs (DoH) if the DNS query fails. In addition to the C2 change, functionality was also added to their LSD malware to exploit ActiveMQ servers vulnerable to CVE-2016-3088.”

The use of self-hosted and DNS records makes it hard to detect the group’s operations and takedowns. The new LSD sample was first spotted on September 17 as reported in the following graph.

The group also improved its LSD dropper by adding the malicious code to exploit CVE-2016-3088 in ActiveMQ servers.

In order to ensure that only its miner is running on the infected machine, the group attempt to kill any other processes with high CPU usage. The LSD malware analyzed the MD5 hash of the files to avoid killing its instance running on the system.

“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity,” concludes Anomali Labs.

“It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future.”

Technical details, including Indicators of Compromise, are reported in the analysis published by Anomali.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Rocke cybercrime gang, miner)

[adrotate banner=”5″]

[adrotate banner=”13″]