Rocke Threat Actor Group Switches to New Tactics to Evade Detection

• The Chinese group has changed its Command and Control infrastructure (C&C server).
• It has made some updates to the LSD malware’s source code that includes the addition of the “StartHttpServer” function.

What is the problem?

Researchers have observed that the Chinese cryptomining threat actor group Rocke has changed its tactics, techniques, and procedures (TTPs), to evade detection.

What do we know about the group?

Rocke is a threat actor group that primarily focuses on cryptocurrency mining on compromised machines. This threat group was first spotted by researchers from Cisco Talos in August 2018. This group is known for using malware written in Go.

What’s new?

Rocke has made new updates to its tactics, which include:

• The Chinese group has changed its Command and Control infrastructure (C&C server).
• The group has changed its technique from using “Pastebin” to self-hosting the initial setup script.
• It has made some updates to the LSD malware source code that includes the addition of the “StartHttpServer” function.
• After this change, the malware starts a web server that is listening on localhost and TCP port 65533.
• Rocke has also added a new functionality to the LSD malware for exploiting Jenkins servers.
• Instead of hosting the setup script and update the version on a dedicated host, the threat group is using TXT records.

“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity. It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future,” researchers noted.