A Chinese cybercriminal group called Rocke, which has organized numerous large-scale crypto mining campaigns, is now using new tactics, procedures, and methods to bypass detection.
Criminals use the new C&C server infrastructure and updated malware to avoid detection.Rocke is a financially motivated group that was first discovered in April 2018, when criminals exploited the unpatched Apache Struts, Oracle WebLogic, and Adobe ColdFusion servers and infected malware from malicious cybercriminals controlled by Gitee and GitLab repositories.
Read also: Researchers have discovered more than a dozen vulnerabilities in the Schneider Electric Modicon PLC
According to researchers from Anomali Labs, in the summer of 2019, criminals changed their C&C infrastructure and refused to use Pastebin in favor of their own autonomous solution.
“The change in technique observed by Rocke is a step forward in regards to the threat actor’s overall sophistication. By moving from Pastebin to self-hosted and DNS records, the actor is better protected against potential takedowns, and its malicious operations may become more difficult to detect”, — report Anomali Labs specialists.
Installation scripts were placed on the lsd.systemten [.] Org and update.systemten [.] Org domains. In September, operators refused to host scripts on dedicated servers and started using text records of the domain name system (DNS). Records are accessed through regular DNS queries or the DNS-over-HTTP (DoH) protocol in the event of a DNS query failure.
In addition, the grouping added a new feature to its LSD malware to exploit vulnerability CVE-2016-3088 in Apache ActiveMQ servers. The malware helps operators set up the Monero mining process (XMR) on compromised systems, as well as tracks and removes all processes that actively use CPU resources.
Reference:
Crypto jacking is a method of hidden cryptocurrency mining at other people’s capacities. The threat has appeared relatively recently and is developing rapidly, acquiring new forms. Crypto jacking includes mining using other people’s browsers and devices of any type – from desktop computers and laptops to smartphones and network servers.
Enterprises with internet-facing services should ensure all the software is always up-to-date and that no weak passwords are used. While illicit cryptocurrency mining can be seen as a minor issue, it could lead to increased resource drain and earlier hardware failure. In addition, it is possible that Rocke, or other cryptomining threat actors could change the payload from a cryptominer to something more dangerous, such as ransomware or a Remote Access Trojan (RAT). Therefore, it is paramount to take steps to mitigate the possibility of Rocke-styled campaigns.