2019/04/17 Advisory: Rocke Group Campaign

This page covers ongoing attacks and may be updated (latest: 2019-04-17).

The Rocke Group is a malicious actor focusing on crypto-jacking. This actor is very versatile and targets hosts running vulnerable versions of, e.g., "Jenkins", "Redis" and "Atlassian Confluence" applications. They are very quick to incorporate exploits for newly disclosed vulnerabilities of other software applications. Once a host has been compromised, it is used for scanning the LAN for additional victims, and, eventually, for crypto-currency mining.

Attacker’s Tactics, Techniques, and Procedures (TTP)

The infection process is nearly identical for all victims:

  • The actor is scanning Internet-exposed hosts for known vulnerabilities;
  • Once the attacker has gained access to the host, a malicious script is downloaded from https://pastebin.com;
  • That script typically points recursively to other Pastebin pages, until the actual code on Pastebin points to ever changing image hosting websites. From there, a "LSD"-packed (modified UPX-packing) Golang binary, obfuscated as a fake JPG, is downloaded;
  • Meanwhile, the infected host is configured for persistence via cronjobs, which can themselves be reinstalled by other pieces of the malware (e.g. a Golang binary or a shared library);
  • Whenever possible, the attacker escalates to root and attempts to cover its tracks and activities via LD Preload, log files deletion, etc.;
  • This Golang binary includes LAN scanning tools enabling the attacker to pivot internally and scan for additional vulnerable systems on the victim's LAN as well as an XMRig executable for eventually crypto-currency mining;
  • The malicious Golang binary is communicating with the IP of a custom mining pool.

Indicators of Compromises (IoCs)

Indicators of compromise are also available below in MISP JSON format.

Network

  • Initial network scan with exploit attempts from multiple IPs, including 144.34.132.17;
  • Upon infection, the payload is executed and fetches the victim's public IP address from http://ident[.]me.
    The user agent for this HTTP request is Go-http-client/1.1;
  • The payload scans the LAN on 22/tcp, 6379/tcp and 8080/tcp;
  • The payload will contact the private mining pool at systemten[.]org:51640 (104.248.53.213)

File System

  • Check for malicious cronjobs for both root and the web application's / web server's local users: for example via:
    # crontab -l
    # less /etc/cron.d/root
    # less /var/spool/cron/root
    # less /var/spool/cron/crontabs/root
  • Check for malicious processes and files in /tmp, for example for khugepaged and kerberods.

Golang payload

A partial analysis for the Golang payload is available at https://codimd.web.cern.ch/qIzwThJNTK-pl21J2Xmi-A#

References