Rocke
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | Application Layer Protocol |
Rocke issued wget requests from infected systems to the C2.[1] |
|
| .001 | Web Protocols |
Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.[2] |
||
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[1] |
| Enterprise | T1037 | Boot or Logon Initialization Scripts |
Rocke has installed an "init.d" startup script to maintain persistence.[2] |
|
| Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.[1] |
| .006 | Command and Scripting Interpreter: Python |
Rocke has used Python-based malware to install and spread their coinminer.[2] |
||
| Enterprise | T1543 | .002 | Create or Modify System Process: Systemd Service |
Rocke has installed a systemd service script to maintain persistence.[2] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Rocke has extracted tar.gz files after downloading them from a C2 server.[1] |
|
| Enterprise | T1190 | Exploit Public-Facing Application |
Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.[1][3] |
|
| Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
Rocke has changed file permissions of files so they could not be modified.[2] |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Rocke downloaded a file "libprocesshider", which could hide files on the target system.[1][3] |
| Enterprise | T1574 | .006 | Hijack Execution Flow: Dynamic Linker Hijacking |
Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.[2] |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Rocke used scripts which detected and uninstalled antivirus software.[1][3] |
| .004 | Impair Defenses: Disable or Modify System Firewall |
Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.[1] |
||
| Enterprise | T1070 | .002 | Indicator Removal on Host: Clear Linux or Mac System Logs | |
| .004 | Indicator Removal on Host: File Deletion | |||
| .006 | Indicator Removal on Host: Timestomp | |||
| Enterprise | T1105 | Ingress Tool Transfer |
Rocke used malware to download additional malicious files to the target system.[1] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Rocke has used shell scripts which download mining executables and saves them with the filename "java".[1] |
| Enterprise | T1046 | Network Service Scanning |
Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.[1][2] |
|
| Enterprise | T1571 | Non-Standard Port | ||
| Enterprise | T1027 | Obfuscated Files or Information |
Rocke has modified UPX headers after packing files to break unpackers.[2] |
|
| .002 | Software Packing |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[1][3][2] |
||
| .004 | Compile After Delivery |
Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).[2] |
||
| Enterprise | T1057 | Process Discovery |
Rocke can detect a running process's PID on the infected machine.[2] |
|
| Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
Rocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.[1] |
| Enterprise | T1021 | .004 | Remote Services: SSH | |
| Enterprise | T1018 | Remote System Discovery |
Rocke has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.[1] |
|
| Enterprise | T1496 | Resource Hijacking | ||
| Enterprise | T1014 | Rootkit |
Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.[2] |
|
| Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
Rocke installed a cron job that downloaded and executed files from the C2.[1][3][2] |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Rocke used scripts which detected and uninstalled antivirus software.[1][3] |
| Enterprise | T1082 | System Information Discovery |
Rocke has used uname -m to collect the name and information about the infected system's kernel.[2] |
|
| Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.[2] |
| Enterprise | T1102 | Web Service |
Rocke has used Pastebin, Gitee, and GitLab for Command and Control.[2][1] |
|
| .001 | Dead Drop Resolver |
Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.[2] |
||