New Threat Actor ‘Rocke’: A Rising Monero Cryptomining Menace

Researchers are warning of a Chinese-language threat actor leveraging a wide array of Git repositories to infect vulnerable systems with Monero-based cryptomining malware.

Researchers at Cisco Talos, who discovered the threat actor they call “Rocke”, said they have been tracking the adversary since April as it continues to plant various Monero miners on vulnerable systems. Rocke’s hallmark is the enlisting of toolkits that leverage Git repositories, HTTP File Servers (HFS) and a myriad of different payloads. The name Rocke was derived the the group’s Monero wallet that includes “[email protected]”.

“Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines,” the research team said in a post Thursday. “It is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware.”

Cisco Talos said it first spotted the threat actor in April 2018 when its malware was found in both Western and Chinese honeypots attempting to exploit the an Apache Struts vulnerability.

A user named “c-000” first downloaded several files to the researchers’ Struts 2 honeypot from the Chinese repository site (Gitee.com), researchers said. At the same time another user named “c-18” pulled down files in similar activity from a GitLab.com repository page. The repositories on both Gitee and GitLab were identical, leading researchers to determine they were the same actor. The repositories also contained similar files such as an array of ELF executables, shell scripts, and text files. Each executed and a variety of Monero-based cryptocurrency miners.

“After months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors,” wrote David Liebenberg, senior threat analyst, who authored the Cisco Talos report.

Researchers said they found the same threat actor exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting a critical Java deserialization vulnerability in the Adobe ColdFusion platform (CVE-2017-3066).

Recent Campaigns

As recently as late July, researchers said they discovered another similar campaign on their Struts 2 honeypot. The honeypot received a wget request (a command for downloading files from the internet) for a file called “0720.bin.” When researchers did some digging and visited the host this file was located on, they discovered that it contained a slew of additional files, including shell scripts and cryptominers.

Those files included an Executable and Linkable (ELF) file called “3307.bin,” a shell script called “a7” that kills a variety of processes related to other cryptomining malware, as well as shell scripts “lowerv2.sh” and “rootv2.sh,” which  attempt to download and execute cryptomining malware.

They also found a file called “config.json,” which is a mining config file for open-source Monero miner XMRig. Another file, “Pools.txt,” appears to be a config file for XMR-stak, an open-source universal Stratum pool miner that mines Monero, Aeon and more. Both miners have the same mining pool and wallet information.

Other miners in the files include “Bashf,” a variant of XMR-stak, and “bashg,” a variant of XMRig.

Finally, Cisco Talos said it found a file dubbed “TermsHost.exe,” a PE 32 Monero miner, which researchers said can be purchased online for $14 and targets malicious actors: “Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into ‘Windows processes to bypass firewalls,’” Liebenberg wrote.

The sample first grabs the config file “xmr.txt” containing the same configuration information as the previous files, from Rocke’s command-and-control (C2) server, and then injects code into notepad.exe, which then proceeds to communicate with the MinerGate pool.

“Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system,” researchers said.

Threat Actor

Liebenberg said Cisco Talos was able to discover more about Rocke through several emails associated with the threat actor’s MinerGate Monero wallet ([email protected] and [email protected]): “The majority of websites registered to Rocke list Jiangxi Province addresses for their registration,” he said. “Some of these websites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food… It is possible that the ‘jx’ in [email protected] stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi Province.”

The payload is similar to one used by the Iron Cybercrime Group, Cisco Talos said: “Both Iron and Rocke’s malware behave similarly, and reach out to similar infrastructure,” they said. “So, while we can assess with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group.”

Liebenberg pointed to cryptomining malware as increasing in popularity, with the Rocke threat actor an example of varying methods to download and execute various malware.

“Despite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating,” they said. “Rocke’s various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals.”