Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]

ID: G0106
Version: 1.0
Created: 26 May 2020
Last Modified: 19 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 Application Layer Protocol

Rocke issued wget requests from infected systems to the C2.[1]

.001 Web Protocols

Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[1]

Enterprise T1037 Boot or Logon Initialization Scripts

Rocke has installed an "init.d" startup script to maintain persistence.[2]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.[1]

.006 Command and Scripting Interpreter: Python

Rocke has used Python-based malware to install and spread their coinminer.[2]

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Rocke has installed a systemd service script to maintain persistence.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Rocke has extracted tar.gz files after downloading them from a C2 server.[1]

Enterprise T1190 Exploit Public-Facing Application

Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.[1][3]

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

Rocke has changed file permissions of files so they could not be modified.[2]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Rocke downloaded a file "libprocesshider", which could hide files on the target system.[1][3]

Enterprise T1574 .006 Hijack Execution Flow: Dynamic Linker Hijacking

Rocke has modified /etc/ to hook libc functions in order to hide the installed dropper and mining software in process lists.[2]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Rocke used scripts which detected and uninstalled antivirus software.[1][3]

.004 Impair Defenses: Disable or Modify System Firewall

Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.[1]

Enterprise T1070 .002 Indicator Removal: Clear Linux or Mac System Logs

Rocke has cleared log files within the /var/log/ folder.[2]

.004 Indicator Removal: File Deletion

Rocke has deleted files on infected machines.[2]

.006 Indicator Removal: Timestomp

Rocke has changed the time stamp of certain files.[2]

Enterprise T1105 Ingress Tool Transfer

Rocke used malware to download additional malicious files to the target system.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Rocke has used shell scripts which download mining executables and saves them with the filename "java".[1]

Enterprise T1046 Network Service Discovery

Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.[1][2]

Enterprise T1571 Non-Standard Port

Rocke's miner connects to a C2 server using port 51640.[2]

Enterprise T1027 Obfuscated Files or Information

Rocke has modified UPX headers after packing files to break unpackers.[2]

.002 Software Packing

Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[1][3][2]

.004 Compile After Delivery

Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).[2]

Enterprise T1057 Process Discovery

Rocke can detect a running process's PID on the infected machine.[2]

Enterprise T1055 .002 Process Injection: Portable Executable Injection

Rocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.[1]

Enterprise T1021 .004 Remote Services: SSH

Rocke has spread its coinminer via SSH.[2]

Enterprise T1018 Remote System Discovery

Rocke has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.[1]

Enterprise T1496 Resource Hijacking

Rocke has distributed cryptomining malware.[1][3]

Enterprise T1014 Rootkit

Rocke has modified /etc/ to hook libc functions in order to hide the installed dropper and mining software in process lists.[2]

Enterprise T1053 .003 Scheduled Task/Job: Cron

Rocke installed a cron job that downloaded and executed files from the C2.[1][3][2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Rocke used scripts which detected and uninstalled antivirus software.[1][3]

Enterprise T1082 System Information Discovery

Rocke has used uname -m to collect the name and information about the infected system's kernel.[2]

Enterprise T1552 .004 Unsecured Credentials: Private Keys

Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.[2]

Enterprise T1102 Web Service

Rocke has used Pastebin, Gitee, and GitLab for Command and Control.[2][1]

.001 Dead Drop Resolver

Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.[2]