Home » News » Rocke’s new cyberminer removes competitors and uses GitHub to communicate with C2

Rocke’s new cyberminer removes competitors and uses GitHub to communicate with C2

Specialists at Palo Alto Networks have discovered a new technique for malicious crypto mining by Rocke group.

The malware not only removes all other competing miners in the system, but also uses the GitHub and Pastebin services as part of the C2 command center infrastructure.

“Cybercriminals write malicious components in Python, while Pastebin and GitHub are used as code repositories”, — Palo Alto Networks explains.

Experts believe that the malware has Chinese roots and was created by a cybercrime group from China, known as Rocke. The miner attacks cloud infrastructures, through which it then extracts digital currency. A company that has been the victim of such an attack usually notices that its electricity bills have grown substantially.

“During their attacks, cybercriminals exploit vulnerabilities discovered in 2016 and 2017. Attackers tried to avoid detection, so they penetrated the victim’s system, but not deeply”, — wrote researchers at Palo Alto Networks.

Criminals get administrative access to cloud systems thanks to a malicious program that can hide its presence from traditional detection methods.

“By analyzing NetFlow data from December 2018 to June 16, 2019, we found that 28.1% of the cloud environments we surveyed had at least one fully established network connection with at least one known Rocke command-and-control (C2) domain. Several of those organizations maintained near daily connections. Meanwhile, 20% of the organizations maintained hourly heartbeats consistent with Rocke tactics, techniques, and procedures (TTPs)”, — report Palo Alto Networks specialists.

Compromised systems are then associated with Rocke’s IP addresses and domains, which are coded in the malware.

READ  Remove Winzip.exe Miner: Removal process

Read also: The new version of the banking Trojan TrickBot “kicks off” Windows Defender

The initial attack vector, as in majority of such cases, is fishing. Once this phase is successful, the malware will be downloaded to the system of the attacked company from the command centers, including GitHub and Pastebin.

[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

Smominru Botnet Quickly Spreads Quickly

Smominru botnet quickly spreads and hacks over 90 thousand computers every month

Cryptocurrency mining and identity theft botnet Smominru (also known as Ismo) began to spread incredibly …

TFlower ransomware uses RDP

Researchers say about growing activity of TFlower, another ransomware that uses RDP

According to Bleeping Computer, the activity of TFlower, a ransomware that uses RDP and is …

Leave a Reply