Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1][2]

Techniques Used

Domain ID Name Use
Enterprise VT0012 .001 Command and Scripting Interpreter: Unix Shell

Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.[1]

Enterprise VT0003 Exploit Public-Facing Application

Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.[1][3]

Enterprise VT0024 Network Service Scanning

Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.[1][4]

Enterprise VT0020 .001 Remote Services: SSH

Rocke laterally moves across the network through SSH to infect further machines with a cryptominer.[5][6][7]

Enterprise VT0034 Remote System Discovery

Rocke looks for IP addresses in the known_hosts file on the infected system and attempts to connect to them through SSH.[8]

Enterprise VT0031 Resource Hijacking

Rocke has distributed cryptomining malware.[1][3]

Enterprise VT0017 .004 Unsecured Credentials: Private Keys

Rocke looks for SSH keys and attempts to use them in order to infect new machines, move laterally and spread its cryptominer throughout a network.[4][6][7]

References

Attachments

ID
VG0005
Version
1.0

Created: 16 March 2021

Last Modified: 16 March 2021