G0106 Rocke
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address “rocke@live.cn” used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.1
| Item | Value |
|---|---|
| ID | G0106 |
| Associated Names | |
| Version | 1.0 |
| Created | 26 May 2020 |
| Last Modified | 19 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | Rocke issued wget requests from infected systems to the C2.1 |
| enterprise | T1071.001 | Web Protocols | Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Rocke‘s miner has created UPX-packed files in the Windows Start Menu Folder.1 |
| enterprise | T1037 | Boot or Logon Initialization Scripts | Rocke has installed an “init.d” startup script to maintain persistence.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.1 |
| enterprise | T1059.006 | Python | Rocke has used Python-based malware to install and spread their coinminer.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.002 | Systemd Service | Rocke has installed a systemd service script to maintain persistence.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Rocke has extracted tar.gz files after downloading them from a C2 server.1 |
| enterprise | T1190 | Exploit Public-Facing Application | Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.13 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | Rocke has changed file permissions of files so they could not be modified.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | Rocke downloaded a file “libprocesshider”, which could hide files on the target system.13 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.006 | Dynamic Linker Hijacking | Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Rocke used scripts which detected and uninstalled antivirus software.13 |
| enterprise | T1562.004 | Disable or Modify System Firewall | Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.002 | Clear Linux or Mac System Logs | Rocke has cleared log files within the /var/log/ folder.2 |
| enterprise | T1070.004 | File Deletion | Rocke has deleted files on infected machines.2 |
| enterprise | T1070.006 | Timestomp | Rocke has changed the time stamp of certain files.2 |
| enterprise | T1105 | Ingress Tool Transfer | Rocke used malware to download additional malicious files to the target system.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Rocke has used shell scripts which download mining executables and saves them with the filename “java”.1 |
| enterprise | T1046 | Network Service Discovery | Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.12 |
| enterprise | T1571 | Non-Standard Port | Rocke‘s miner connects to a C2 server using port 51640.2 |
| enterprise | T1027 | Obfuscated Files or Information | Rocke has modified UPX headers after packing files to break unpackers.2 |
| enterprise | T1027.002 | Software Packing | Rocke‘s miner has created UPX-packed files in the Windows Start Menu Folder.132 |
| enterprise | T1027.004 | Compile After Delivery | Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).2 |
| enterprise | T1057 | Process Discovery | Rocke can detect a running process’s PID on the infected machine.2 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.002 | Portable Executable Injection | Rocke‘s miner, “TermsHost.exe”, evaded defenses by injecting itself into Windows processes, including Notepad.exe.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.004 | SSH | Rocke has spread its coinminer via SSH.2 |
| enterprise | T1018 | Remote System Discovery | Rocke has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.1 |
| enterprise | T1496 | Resource Hijacking | Rocke has distributed cryptomining malware.13 |
| enterprise | T1014 | Rootkit | Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | Rocke installed a cron job that downloaded and executed files from the C2.132 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Rocke used scripts which detected and uninstalled antivirus software.13 |
| enterprise | T1082 | System Information Discovery | Rocke has used uname -m to collect the name and information about the infected system’s kernel.2 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.004 | Private Keys | Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.2 |
| enterprise | T1102 | Web Service | Rocke has used Pastebin, Gitee, and GitLab for Command and Control.21 |
| enterprise | T1102.001 | Dead Drop Resolver | Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.2 |
References
-
Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020. ↩↩↩↩↩↩↩