Rocke Group’s Monero Mining Malware now More Powerful than Cloud Security Software
According to a January 17, 2019, press release from Palo Alto Networks’ Unit 42, a threat intelligence team, a Linux mining malware developed by Rocke group has advanced to uninstall cloud security products from Alibaba Cloud and Tencent Cloud to illegally mine Monero (XMR) on compromised machines.
Monero (XMR) Mining Malware Gets More Powerful
Per the report, Rocke group, the infamous creators of the Xbash malware, was first reported in July 2018 by Cisco Talos, a Cisco Intelligence group. The latter revealed that the actors behind the malware were deactivating some security monitors on computers.
However, Unit 42 has indicated that after analyzing the latest cryptocurrency mining malware samples used on Linux machines, of which some were discovered in October 2018 from Rocke, their mode of operation has significantly evolved.
In this case, the malicious program has advanced to uninstall five cloud security products developed by Alibaba Cloud (Aliyun) and Tencent Cloud who are reportedly China’s largest cloud services providers.
Alibaba Cloud (Aliyun), for instance, has a product called Threat Detection Service whose function is to scan and remove malicious programs as well as detect other vulnerabilities on the Linux operating system.
In line with that, the firm reports that this cloud service provider has outlined the steps an administrator will have to follow to successfully uninstall the product from their computer if it’s not needed.
However, the Rocke cryptocurrency mining malware has devised a means of executing the same steps of an authorized system administrator to execute the malicious code.
Rocke Exploits Linux Vulnerabilities to Mine Monero
Highlighting the steps taken to achieve this, the team revealed that security issues in Oracle WebLogic Server, Apache Struts 2, and Adobe ColdFusion have all been exploited.
This vulnerability helps the software to disarm the security products on Linux systems and subsequently mine Monero.
An instance of this attack was cited for Oracle WebLogic where its vulnerability helps to download a backdoor and open a shell, allowing Rocke to stop the actions of other crypto mining malware, remove security products, and adjust malicious file dates among other operations.
The threat intelligence team has also pointed out that the behavior of Rocke group’s malware is unique because it is the “first malware family” that can take control of cloud security products without actually compromising them.
“This also highlights a new challenge for products in the Cloud Workload Protection Platforms market defined by Gartner,” the firm stated.
Despite the crash in the price of bitcoin and altcoins, bad actors continue to formulate novel ways to get illegally rich with cryptoassets. n January 13, 2019, BTCManager informed of the Global Threat Index of December 2018, which ranks cryptocurrency mining malware as a computer’s most common attacks for the thirteenth time in a row.