Specialists at Palo Alto Networks have discovered a new technique for malicious crypto mining by Rocke group.The malware not only removes all other competing miners in the system, but also uses the GitHub and Pastebin services as part of the C2 command center infrastructure.
“Cybercriminals write malicious components in Python, while Pastebin and GitHub are used as code repositories”, — Palo Alto Networks explains.
Experts believe that the malware has Chinese roots and was created by a cybercrime group from China, known as Rocke. The miner attacks cloud infrastructures, through which it then extracts digital currency. A company that has been the victim of such an attack usually notices that its electricity bills have grown substantially.
“During their attacks, cybercriminals exploit vulnerabilities discovered in 2016 and 2017. Attackers tried to avoid detection, so they penetrated the victim’s system, but not deeply”, — wrote researchers at Palo Alto Networks.
Criminals get administrative access to cloud systems thanks to a malicious program that can hide its presence from traditional detection methods.
“By analyzing NetFlow data from December 2018 to June 16, 2019, we found that 28.1% of the cloud environments we surveyed had at least one fully established network connection with at least one known Rocke command-and-control (C2) domain. Several of those organizations maintained near daily connections. Meanwhile, 20% of the organizations maintained hourly heartbeats consistent with Rocke tactics, techniques, and procedures (TTPs)”, — report Palo Alto Networks specialists.
Compromised systems are then associated with Rocke’s IP addresses and domains, which are coded in the malware.
The initial attack vector, as in majority of such cases, is fishing. Once this phase is successful, the malware will be downloaded to the system of the attacked company from the command centers, including GitHub and Pastebin.