Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1][2]

Techniques Used

Domain ID Name Use
Enterprise VT0012 .001 Command and Scripting Interpreter: Unix Shell

Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.[1]

Enterprise VT0003 Exploit Public-Facing Application

Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.[1][3]

Enterprise VT0024 Network Service Scanning

Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.[1][4]

Enterprise VT0020 .001 Remote Services: SSH

Rocke laterally moves across the network through SSH to infect further machines with a cryptominer.[5][6][7]

Enterprise VT0034 Remote System Discovery

Rocke looks for IP addresses in the known_hosts file on the infected system and attempts to connect to them through SSH.[8]

Enterprise VT0031 Resource Hijacking

Rocke has distributed cryptomining malware.[1][3]

Enterprise VT0017 .004 Unsecured Credentials: Private Keys

Rocke looks for SSH keys and attempts to use them in order to infect new machines, move laterally and spread its cryptominer throughout a network.[4][6][7]




Created: 16 March 2021

Last Modified: 16 March 2021