Rocke
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1014 | Rootkit |
Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.[2] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Rocke has used shell scripts which download mining executables and saves them with the filename "java".[1] |
| Enterprise | T1543 | .002 | 创建或修改系统进程: Systemd Service |
Rocke has installed a systemd service script to maintain persistence.[2] |
| Enterprise | T1190 | 利用公开应用程序漏洞 |
Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.[1][3] |
|
| Enterprise | T1574 | .006 | 劫持执行流: Dynamic Linker Hijacking |
Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.[2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Rocke has extracted tar.gz files after downloading them from a C2 server.[1] |
|
| Enterprise | T1037 | 启动或登录初始化脚本 |
Rocke has installed an "init.d" startup script to maintain persistence.[2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[1] |
| Enterprise | T1059 | .004 | 命令与脚本解释器: Unix Shell |
Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.[1] |
| .006 | 命令与脚本解释器: Python |
Rocke has used Python-based malware to install and spread their coinminer.[2] |
||
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Rocke used scripts which detected and uninstalled antivirus software.[1][3] |
| .004 | 妨碍防御: Disable or Modify System Firewall |
Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.[1] |
||
| Enterprise | T1071 | 应用层协议 |
Rocke issued wget requests from infected systems to the C2.[1] |
|
| .001 | Web Protocols |
Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.[2] |
||
| Enterprise | T1222 | .002 | 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification |
Rocke has changed file permissions of files so they could not be modified.[2] |
| Enterprise | T1552 | .004 | 未加密凭证: Private Keys |
Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.[2] |
| Enterprise | T1027 | 混淆文件或信息 |
Rocke has modified UPX headers after packing files to break unpackers.[2] |
|
| .002 | Software Packing |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[1][3][2] |
||
| .004 | Compile After Delivery |
Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).[2] |
||
| Enterprise | T1070 | .002 | 移除指标: Clear Linux or Mac System Logs | |
| .004 | 移除指标: File Deletion | |||
| .006 | 移除指标: Timestomp | |||
| Enterprise | T1082 | 系统信息发现 |
Rocke has used uname -m to collect the name and information about the infected system's kernel.[2] |
|
| Enterprise | T1102 | 网络服务 |
Rocke has used Pastebin, Gitee, and GitLab for Command and Control.[2][1] |
|
| .001 | Dead Drop Resolver |
Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.[2] |
||
| Enterprise | T1046 | 网络服务发现 |
Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.[1][2] |
|
| Enterprise | T1496 | .001 | 资源劫持: Compute Hijacking | |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Rocke used scripts which detected and uninstalled antivirus software.[1][3] |
| Enterprise | T1105 | 输入工具传输 |
Rocke used malware to download additional malicious files to the target system.[1] |
|
| Enterprise | T1057 | 进程发现 |
Rocke can detect a running process's PID on the infected machine.[2] |
|
| Enterprise | T1055 | .002 | 进程注入: Portable Executable Injection |
Rocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.[1] |
| Enterprise | T1021 | .004 | 远程服务: SSH | |
| Enterprise | T1018 | 远程系统发现 |
Rocke has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.[1] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
Rocke downloaded a file "libprocesshider", which could hide files on the target system.[1][3] |
| Enterprise | T1571 | 非标准端口 | ||
| Enterprise | T1053 | .003 | 预定任务/作业: Cron |
Rocke installed a cron job that downloaded and executed files from the C2.[1][3][2] |