New cryptomining malware removes cloud security products from systems

• A Linux cryptomining malware that uninstalls cloud security solutions, was discovered by cybersecurity firm Palo Alto Networks.
• The threat actor group behind the creation of the malware is identified as “Rocke”.

A cryptomining malware has now emerged which uninstalls various cloud security protection and monitoring products.

Research by experts at Palo Alto Networks' (PAN) Unit 42 division has revealed that this new form of malware is disrupting security services in Linux servers.

The researchers have identified the malware creator group as “Rocke", and have found that the coin mining application affects five cloud security solutions.

Malware removes security products

According to the firm’s research, the malware only removes the security products. “In our analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.” said the report.

Back in 2018, the Rocke group was reported by Cisco Talos. The modus operandi remained the same: mining cryptocurrency from flawed Linux machines.

Cloud security products by Tencent Cloud and Alibaba Cloud were the primary targets of this malware. However, PAN has informed Tencent Cloud and Alibaba Cloud of this flaw, and are collaboratively working to fix this threat.

The cryptomining malware is also packed with evasion techniques to avoid getting detected.

This malware variant by the Rocke group has specifically targeted public cloud infrastructure. A large scale attack of this kind could wreak havoc on systems present worldwide.