<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname;   }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main" style="width: 100%; "> <h2>2019/04/17 Advisory: Rocke Group Campaign</h2> <p style="background-color:#FFCC77"> <b>This page covers ongoing attacks and may be updated (latest: 2019-04-17).</b> </p> <p> The Rocke Group is a malicious actor focusing on crypto-jacking. This actor is very versatile and targets hosts running vulnerable versions of, e.g., "Jenkins", "Redis" and "Atlassian Confluence" applications. They are very quick to incorporate exploits for newly disclosed vulnerabilities of other software applications. Once a host has been compromised, it is used for scanning the LAN for additional victims, and, eventually, for crypto-currency mining.</p> <h3>Attacker’s Tactics, Techniques, and Procedures (TTP)</h3> <p>The infection process is nearly identical for all victims: <ul> <li>The actor is scanning Internet-exposed hosts for known vulnerabilities;</li> <li>Once the attacker has gained access to the host, a malicious script is downloaded from <a href="https://pastebin.com">https://pastebin.com</a>;</li> <a href="./xmxHzu5P.png" target="_new"><img src="./xmxHzu5P.png" width="110%"/></a> <li>That script typically points recursively to other Pastebin pages, until the actual code on Pastebin points to ever changing image hosting websites. From there, a "LSD"-packed (modified UPX-packing) Golang binary, obfuscated as a fake JPG, is downloaded;</li> <li>Meanwhile, the infected host is configured for persistence via cronjobs, which can themselves be reinstalled by other pieces of the malware (e.g. a Golang binary or a shared library);</li> <li>Whenever possible, the attacker escalates to root and attempts to cover its tracks and activities via LD Preload, log files deletion, etc.; <li>This Golang binary includes LAN scanning tools enabling the attacker to pivot internally and scan for additional vulnerable systems on the victim's LAN as well as an <a href="https://github.com/xmrig/xmrigXMRig">XMRig</a> executable for eventually crypto-currency mining;</li> <li>The malicious Golang binary is communicating with the IP of a custom mining pool.</li> </ul> </p> <h3>Indicators of Compromises (IoCs)</h3> <p>Indicators of compromise are also available below in <a href="rocke_group.json">MISP JSON</a> format.</p> <h4>Network</h4> <ul> <li>Initial network scan with exploit attempts from multiple IPs, including <font style="font-family:Courier;">144.34.132.17</font>;</li> <li>Upon infection, the payload is executed and fetches the victim's public IP address from <font style="font-family:Courier;">http://ident[.]me</font>. <br/>The user agent for this HTTP request is <font style="font-family:Courier;">Go-http-client/1.1</font>;</li> <li>The payload scans the LAN on <font style="font-family:Courier;">22/tcp</font>, <font style="font-family:Courier;">6379/tcp</font> and <font style="font-family:Courier;">8080/tcp</font>;</li> <li>The payload will contact the private mining pool at <font style="font-family:Courier;">systemten[.]org:51640 (104.248.53.213)</font></li> </ul> <h4> File System</h4> <ul> <li>Check for malicious <font style="font-family:Courier;">cronjobs</font> for both <font style="font-family:Courier;">root</font> and the web application's / web server's local users: for example via:<br/><font style="font-family:Courier;"># crontab -l</font><br/><font style="font-family:Courier;"># less /etc/cron.d/root</font><br/><font style="font-family:Courier;"># less /var/spool/cron/root</font> <br/> <font style="font-family:Courier;"># less /var/spool/cron/crontabs/root</font></li> <li>Check for malicious processes and files in <font style="font-family:Courier;">/tmp</font>, for example for <font style="font-family:Courier;">khugepaged</font> and <font style="font-family:Courier;">kerberods</font>.</li> </ul> <h4>Golang payload</h4> <p>A partial analysis for the Golang payload is available at <a href="https://codimd.web.cern.ch/qIzwThJNTK-pl21J2Xmi-A#">https://codimd.web.cern.ch/qIzwThJNTK-pl21J2Xmi-A#</a></p> <!---h3>Credits</h3--> <h3>References</h3> <ul> <li><a href="https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang">Anomali Labs report on the Rocke Group</a></li> <li><a href="https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/">Palo Alto Networks Unit 42 report on the Rocke Group</a></li> <li><a href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html">Cisco Talos' report on the Rocke Group</a></li> </ul> </div> <!-- main ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>