Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]

ID: G0106
Version: 1.0
Created: 26 May 2020
Last Modified: 19 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 Application Layer Protocol

Rocke issued wget requests from infected systems to the C2.[1]

.001 Web Protocols

Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[1]

Enterprise T1037 Boot or Logon Initialization Scripts

Rocke has installed an "init.d" startup script to maintain persistence.[2]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.[1]

.006 Command and Scripting Interpreter: Python

Rocke has used Python-based malware to install and spread their coinminer.[2]

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Rocke has installed a systemd service script to maintain persistence.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Rocke has extracted tar.gz files after downloading them from a C2 server.[1]

Enterprise T1190 Exploit Public-Facing Application

Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.[1][3]

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

Rocke has changed file permissions of files so they could not be modified.[2]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Rocke downloaded a file "libprocesshider", which could hide files on the target system.[1][3]

Enterprise T1574 .006 Hijack Execution Flow: LD_PRELOAD

Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.[2]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Rocke used scripts which detected and uninstalled antivirus software.[1][3]

.004 Impair Defenses: Disable or Modify System Firewall

Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.[1]

Enterprise T1070 .006 Indicator Removal on Host: Timestomp

Rocke has changed the time stamp of certain files.[2]

.004 Indicator Removal on Host: File Deletion

Rocke has deleted files on infected machines.[2]

.002 Indicator Removal on Host: Clear Linux or Mac System Logs

Rocke has cleared log files within the /var/log/ folder.[2]

Enterprise T1105 Ingress Tool Transfer

Rocke used malware to download additional malicious files to the target system.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Rocke has used shell scripts which download mining executables and saves them with the filename "java".[1]

Enterprise T1046 Network Service Scanning

Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.[1][2]

Enterprise T1571 Non-Standard Port

Rocke's miner connects to a C2 server using port 51640.[2]

Enterprise T1027 Obfuscated Files or Information

Rocke has modified UPX headers after packing files to break unpackers.[2]

.002 Software Packing

Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[1][3][2]

.004 Compile After Delivery

Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).[2]

Enterprise T1057 Process Discovery

Rocke can detect a running process's PID on the infected machine.[2]

Enterprise T1055 .002 Process Injection: Portable Executable Injection

Rocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.[1]

Enterprise T1021 .004 Remote Services: SSH

Rocke has spread its coinminer via SSH.[2]

Enterprise T1018 Remote System Discovery

Rocke has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.[1]

Enterprise T1496 Resource Hijacking

Rocke has distributed cryptomining malware.[1][3]

Enterprise T1014 Rootkit

Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.[2]

Enterprise T1053 .003 Scheduled Task/Job: Cron

Rocke installed a cron job that downloaded and executed files from the C2.[1][3][2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Rocke used scripts which detected and uninstalled antivirus software.[1][3]

Enterprise T1082 System Information Discovery

Rocke has used uname -m to collect the name and information about the infected system's kernel.[2]

Enterprise T1552 .004 Unsecured Credentials: Private Keys

Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.[2]

Enterprise T1102 Web Service

Rocke has used Pastebin, Gitee, and GitLab for Command and Control.[2][1]

.001 Dead Drop Resolver

Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.[2]

References