Rocke Grouping Applies New Detection Bypass Methods

A Chinese cybercriminal group called Rocke, which has organized numerous large-scale crypto mining campaigns, is now using new tactics, procedures, and methods to bypass detection.

Criminals use the new C&C server infrastructure and updated malware to avoid detection.

Rocke is a financially motivated group that was first discovered in April 2018, when criminals exploited the unpatched Apache Struts, Oracle WebLogic, and Adobe ColdFusion servers and infected malware from malicious cybercriminals controlled by Gitee and GitLab repositories.

Read also: Researchers have discovered more than a dozen vulnerabilities in the Schneider Electric Modicon PLC

According to researchers from Anomali Labs, in the summer of 2019, criminals changed their C&C infrastructure and refused to use Pastebin in favor of their own autonomous solution.

“The change in technique observed by Rocke is a step forward in regards to the threat actor’s overall sophistication. By moving from Pastebin to self-hosted and DNS records, the actor is better protected against potential takedowns, and its malicious operations may become more difficult to detect”, — report Anomali Labs specialists.

Installation scripts were placed on the lsd.systemten [.] Org and update.systemten [.] Org domains. In September, operators refused to host scripts on dedicated servers and started using text records of the domain name system (DNS). Records are accessed through regular DNS queries or the DNS-over-HTTP (DoH) protocol in the event of a DNS query failure.

In addition, the grouping added a new feature to its LSD malware to exploit vulnerability CVE-2016-3088 in Apache ActiveMQ servers. The malware helps operators set up the Monero mining process (XMR) on compromised systems, as well as tracks and removes all processes that actively use CPU resources.

Crypto jacking is a method of hidden cryptocurrency mining at other people’s capacities. The threat has appeared relatively recently and is developing rapidly, acquiring new forms. Crypto jacking includes mining using other people’s browsers and devices of any type – from desktop computers and laptops to smartphones and network servers.

Recommendations from Anomali Labs
Enterprises with internet-facing services should ensure all the software is always up-to-date and that no weak passwords are used. While illicit cryptocurrency mining can be seen as a minor issue, it could lead to increased resource drain and earlier hardware failure. In addition, it is possible that Rocke, or other cryptomining threat actors could change the payload from a cryptominer to something more dangerous, such as ransomware or a Remote Access Trojan (RAT). Therefore, it is paramount to take steps to mitigate the possibility of Rocke-styled campaigns.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published.


Back to top button