Intezer - Technical Analysis: Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud

Technical Analysis: Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud

Written by Ignacio Sanmillan

    First Name
    Last Name
    Job Title
    Company
    Email
    Country

    Join our free community
    Get started
    Share Article
    FacebookTwitterLinkedIn

    Pacha Group is a crypto-mining threat actor we at Intezer discovered and profiled in a blog post published on February 28, 2019. This threat actor targeted Linux servers dating back to September 2018 and implemented advanced evasion and persistence techniques.

    We have continued to monitor this threat actor and new findings show that Pacha Group is also targeting cloud-based environments and conducting great efforts to disrupt other crypto-mining groups, namely Rocke Group who is also known to target cloud environments.

    We believe that these findings are relevant within the context of bringing awareness about cloud-native threats and our research may imply that cloud environments are increasingly becoming a common target for adversaries.

    Technical Analysis
    In monitoring Pacha Group we have identified new, undetected Linux.GreedyAntd variants that share code with previous variants.

    Technical Analysis

    Despite sharing nearly 30% of code with previous variants, detection rates of the new Pacha Group variants are low:

    Pacha Group

    The main malware infrastructure appears to be identical to previous Pacha Group campaigns, although there is a distinguishable effort to detect and mitigate Rocke Group’s implants. Rocke Group was first reported by Cisco Talos researchers and has deployed sophisticated crypto-mining campaigns in Linux servers and cloud-based environments as reported by Palo Alto Unit 42. The following image is a blacklist of miners in which Linux.GreedyAntd searches to eradicate. We have recognized several file names in this blacklist known to be used for Rocke Group’s implants:

    Rocke Group's implant

    Furthermore, there are other strings within this file path blacklist which are used to search for and disable cloud protection solutions, such as Alibaba Server Guard Agent. Strings of malware implants known to have abused the Atlassian vulnerability were also found. Rocke Group is known to hunt for similar security products and to have abused the same vulnerability.

    Rocke Group

    Another interesting update in Pacha Group’s infrastructure in comparison to previous campaigns is that further implants would only be able to be downloaded from Pacha Group’s servers if the HTTP GET request was completed with a specific User-Agent. In the following screenshot we can see how files can not be downloaded unless the correct User-Agent is used:

    Pacha Group

    In addition, Pacha Group’s component update seems to include a lightweight user-mode rootkit known as Libprocesshider, which is an open source project hosted on GitHub and has also been used by Rocke Group.

    Pacha Group

    The malware updates /etc/ld.preload to include the path of the dropped library masquerading libconv.so, a unicode conversion library.
    The malware updates /etc/ld.preload to include the path of the dropped library masquerading libconv

    This shared object will export customized versions of readdir and readdir64 functions that will attempt to hide a process name from /proc filesystem of one of the main components of the malware’s infrastructure, in charge to download further implants in intervals along with enforcing process, file path and IP blacklisting:

    Along with process and file path blacklisting measures seen in previous variants, we also observed that newer variants implement IP blacklisting using an interesting technique.

    Right after process and file path black listing has been accomplished, we find the following code:

    Each of the IPs in the blacklist IP table is decoded and then added to the system routing table with host scope via ioctl.

    This is more conveniently shown by observing the following system call trace:

    effect of this methodology

    When we check the routing table of a compromised system we see the following:

    effect of this methodology

    Each of the decoded IPs have been added to the routing table with host scope. This implies that when any of these IPs will be requested, each request will be routed back to the host to be resolved instead of redirecting them to the gateway, causing a failure in the routing process.

    In the following screenshot we can see the effect of this methodology by using the ping utility:

    effect of this methodology

    After analyzing the IP blacklist we discovered that some of these IPs, even though they may not necessarily be malicious, are known to have been used by Rocke Group in the past. As an example, systemten.org is in this blacklist and it is known that Rocke Group has used this domain for their crypto-mining operations. The following are some domains that correspond to their hardcoded IPs in Linux.GreedyAntd’s blacklist that have Rocke Group correlations:

    Rocke Group

    Conclusion
    We have presented evidence that Pacha Group is targeting cloud-based environments and being especially aggressive towards Rocke Group. We have based this conclusion on the process blacklist used by Pacha Group and the newly added IP blacklist which contains Rocke Group correlated artifacts.

    We have also provided a YARA rule in order to detect Pacha Group’s Linux.GreedyAntd implants based on reused code among the implants.

    For additional recommendations on how to mitigate this threat, please refer to our non-technical blog post on this subject: https://www.intezer.com//blog-competition-for-cryptocurrency-mining-foothold-on-the-cloud.

    Cloud infrastructure is quickly becoming a common target for threat actors, particularly on vulnerable Linux servers. Unfortunately the detection rates of Linux-based malware remain low and the security community needs more awareness in order to more effectively mitigate these threats.

    IOCs

    195.154.187[.]169
    165.227.140[.]184
    f46a9d2c3c9bfcc409534e0856f4614d6b42e792134dcf0f40df7295a777c879
    d2e373c1341a28e18158272208a15decfa397640b6092b56158e0f52e4ff73a4
    c098d5aeef316c3564b0b40a8a102147dae9c606fa92a2e2f0ad5c94cfe30222
    42612f41befc57619646da5e91e7758dcc83cbaafbe5fdfa19d9f43a71f2504f
    ce10e7a0fb517309b1e1141b44d3f9f7759e0f8889c0392774a5869f41006a3f
    d94a6537adcea2f8ef3ed5ed41a548bc2b26b3acdeca9aaf6da4c933e7f47174
    f83d75ab09634a7b818ef87c6509cca2c6f26f5f65b8d3448ebc86b52be62253
    e5f6fbeb3981c9dfa126dc0a71a0aa41b56a09a89228659a7ea5f32aff4b2058

    GreedyAntd Embedded IP Blacklist
    The following are IPs that the Pacha Group attempts to block to prevent operation of other crypto-mining implants (notice not to block these IPs. See the IPs to block in the above IOCs section):

    139.99.120[.]73
    47.95.85[.]22
    62.210.75[.]99
    113.55.8[.]24
    62.210.75[.]99
    42.56.76[.]104
    198.204.231[.]250
    47.90.213[.]21
    116.62.232[.]226
    134.209.104[.]20
    198.12.156[.]218
    207.148.76[.]229
    188.165.254[.]85
    58.56.187[.]66
    89.35.39[.]78
    37.139.22[.]136
    37.44.212[.]223
    54.36.137[.]146
    139.99.120[.]50
    37.120.131[.]220
    104.20.209[.]21
    198.12.156[.]218
    34.196.173[.]143
    34.193.88[.]221
    35.168.52[.]211
    104.248.4[.]162
    130.61.54[.]136
    139.99.120[.]50
    198.12.156[.]218
    166.62.38[.]167
    185.193.125[.]146
    132.148.148[.]79
    188.165.254[.]85
    104.20.208[.]21
    37.187.95[.]110
    158.69.25[.]62
    104.31.93[.]26
    104.25.140[.]10
    60.191.25[.]101
    104.248.53[.]213
    60.191.13[.]119
    104.130.210[.]206
    193.56.28[.]207
    37.187.95[.]110
    89.35.39[.]78
    81.4.122[.]134
    37.44.212[.]223
    148.251.133[.]246
    52.41.214[.]241
    52.25.124[.]181
    54.68.226[.]153
    136.243.89[.]164
    104.20.209[.]21
    176.9.2[.]144
    37.59.43[.]136
    78.46.89[.]102
    37.59.45[.]174
    91.121.2[.]76
    176.9.53[.]68
    37.59.55[.]60
    178.63.48[.]196
    37.187.154[.]79
    37.59.44[.]93
    78.46.91[.]134
    37.59.54[.]205
    23.175.0[.]142
    104.140.244[.]186
    136.243.102[.]157
    5.254.96[.]150
    51.15.56[.]161

    Ignacio Sanmillan

    Nacho is a security researcher specializing in reverse engineering and malware analysis. Nacho plays a key role in Intezer\'s malware hunting and investigation operations, analyzing and documenting new undetected threats. Some of his latest research involves detecting new Linux malware and finding links between different threat actors. Nacho is an adept ELF researcher, having written numerous papers and conducting projects implementing state-of-the-art obfuscation and anti-analysis techniques in the ELF file format.

    © Intezer.com 2021 All rights reserved