Skip to content

G0106 Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address “rocke@live.cn” used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.1

Item Value
ID G0106
Associated Names
Version 1.0
Created 26 May 2020
Last Modified 19 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol Rocke issued wget requests from infected systems to the C2.1
enterprise T1071.001 Web Protocols Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Rocke‘s miner has created UPX-packed files in the Windows Start Menu Folder.1
enterprise T1037 Boot or Logon Initialization Scripts Rocke has installed an “init.d” startup script to maintain persistence.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.1
enterprise T1059.006 Python Rocke has used Python-based malware to install and spread their coinminer.3
enterprise T1543 Create or Modify System Process -
enterprise T1543.002 Systemd Service Rocke has installed a systemd service script to maintain persistence.3
enterprise T1140 Deobfuscate/Decode Files or Information Rocke has extracted tar.gz files after downloading them from a C2 server.1
enterprise T1190 Exploit Public-Facing Application Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.12
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification Rocke has changed file permissions of files so they could not be modified.3
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Rocke downloaded a file “libprocesshider”, which could hide files on the target system.12
enterprise T1574 Hijack Execution Flow -
enterprise T1574.006 Dynamic Linker Hijacking Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.3
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Rocke used scripts which detected and uninstalled antivirus software.12
enterprise T1562.004 Disable or Modify System Firewall Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.002 Clear Linux or Mac System Logs Rocke has cleared log files within the /var/log/ folder.3
enterprise T1070.004 File Deletion Rocke has deleted files on infected machines.3
enterprise T1070.006 Timestomp Rocke has changed the time stamp of certain files.3
enterprise T1105 Ingress Tool Transfer Rocke used malware to download additional malicious files to the target system.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Rocke has used shell scripts which download mining executables and saves them with the filename “java”.1
enterprise T1046 Network Service Discovery Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.13
enterprise T1571 Non-Standard Port Rocke‘s miner connects to a C2 server using port 51640.3
enterprise T1027 Obfuscated Files or Information Rocke has modified UPX headers after packing files to break unpackers.3
enterprise T1027.002 Software Packing Rocke‘s miner has created UPX-packed files in the Windows Start Menu Folder.123
enterprise T1027.004 Compile After Delivery Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).3
enterprise T1057 Process Discovery Rocke can detect a running process’s PID on the infected machine.3
enterprise T1055 Process Injection -
enterprise T1055.002 Portable Executable Injection Rocke‘s miner, “TermsHost.exe”, evaded defenses by injecting itself into Windows processes, including Notepad.exe.1
enterprise T1021 Remote Services -
enterprise T1021.004 SSH Rocke has spread its coinminer via SSH.3
enterprise T1018 Remote System Discovery Rocke has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.1
enterprise T1496 Resource Hijacking Rocke has distributed cryptomining malware.12
enterprise T1014 Rootkit Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.3
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron Rocke installed a cron job that downloaded and executed files from the C2.123
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Rocke used scripts which detected and uninstalled antivirus software.12
enterprise T1082 System Information Discovery Rocke has used uname -m to collect the name and information about the infected system’s kernel.3
enterprise T1552 Unsecured Credentials -
enterprise T1552.004 Private Keys Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.3
enterprise T1102 Web Service Rocke has used Pastebin, Gitee, and GitLab for Command and Control.31
enterprise T1102.001 Dead Drop Resolver Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.3

References

Back to top