A group of hackers that specializes in infecting servers with cryptocurrency mining software has started disabling security software agents used in cloud environments to evade detection. Known as Rocke in the security industry, the group has been active since at least April 2018 and is known for exploiting critical vulnerabilities in web application frameworks and servers like Apache Struts, Oracle WebLogic and Adobe ColdFusion.
Once inside a server, the attackers execute shell scripts that download and install Monero cryptocurrency mining malware for Linux or Windows, depending on the server's operating system. Researchers from Palo Alto Networks have analyzed recent samples of Rocke's Linux shell scripts, which are believed to be related to the Xbash malware developed by a different cybercrime group called Iron. Tool overlap between different groups is not unusual, especially since many attack tools are publicly available or are sold commercially in underground markets.
However, the analyzed Rocke samples have a new feature that hasn't been observed in coin-mining attacks before: Before deploying the coinminer, the malicious script searches for five different cloud security protection and monitoring products and uninstalls them from servers.
"These products were developed by Tencent Cloud and Alibaba Cloud (Aliyun), the two leading cloud providers in China that are expanding their business globally," the Palo Alto Networks researchers said in a report. "To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products. This also highlights a new challenge for products in the cloud workload protection platforms market defined by Gartner."
Shut out coinminer competitors and kill the security tools
Rocke's malicious shell script, known as a7, performs several tasks that lay the groundwork for the coin-mining operation. First, it sets up Linux cron jobs to achieve persistence at reboot. Then it searches for and kills other cryptocurrency mining processes and adds iptables (firewall) rules to block competing coinminers from running. Finally, it uninstalls agent-based cloud security products and only then it downloads its own coinmining program, executes it, hides its process and modifies its file date so it can't be easily found by incident responders.
The five security solutions targeted by the malware are:
- Alibaba Threat Detection Service agent
- Alibaba CloudMonitor agent, which monitors CPU, memory use and network connectivity
- Alibaba Cloud Assistant agent, which is used for automatic management of cloud instances
- Tencent Host Security agent
- Tencent Cloud Monitor agent
It seems that Rocke's detection evasion technique for cloud environments has evolved over time because earlier samples only tried to kill the Tencent Cloud Monitor process. When this proved ineffective the group took the agent uninstallation instructions from Tencent's and Alibaba's websites and implemented them.
The group has a habit of relying on open-source information and resources, a technique known in the security industry as living off the land. In past attacks, it has hosted its malicious files in source-code repositories on GitHub, GitLab and China-based Gitee and has used open-source tools such as IP scanners, proxies and brute-force kits. The group has also forked public repositories containing various exploits, including the NSA exploits leaked by the Shadow Brokers.
This new detection evasion technique aimed at cloud security agents is likely to be adopted by other cybercriminal groups and will probably be expanded to cover server security software from other vendors as well.
Ransomware and abusing servers and computers for unauthorized cryptocurrency mining are some of the most profitable and easy to implement attacks for cybercriminals, so they are likely to continue. In fact, the security industry has observed some groups switching from ransomware to coin mining or combining them both in the same attacks.
"The variant of the malware used by the Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure," the Palo Alto researchers said.