Org's network connect to GitHub and Pastebin much? It's a Rocke road to cryptojacking country

You might also be slurping Chinese malware

Palo Alto Networks has spotted a new cryptomining malware technique that not only wipes out any other miners present on the target machine but uses GitHub and Pastebin as part of its command-and-control (C2) infrastructure.

The malware, believed to originate from a Chinese cybercrime group nicknamed Rocke, targets cloud infrastructure in order to plant cryptocurrency mining software, potentially causing much larger metered usage bills for companies falling victim to it.

"Rocke, which primarily targets public cloud infrastructure for criminal gain, continues to evolve its tools and take advantage of poorly configured cloud infrastructures using vulnerabilities released in 2016 and 2017," said Palo Alto, adding that the malware peddlers were "able to conduct operations with little interference and limited detection risk".

It continued: "The group can gain administrative access to cloud systems using malware that is able to remain hidden from basic investigations. Compromised systems then perform predictable and detectable network actions to known Rocke hardcoded IP addresses or Rocke-owned domains."

The basic compromise vector is, as ever, phishing. Once the target organisation has been successfully phished, the malware is deployed and executed from download and C2 sources including GitHub and Pastebin.

"The group's first cryptomining operations were written in Python and used Pastebin or GitHub as the code repository from which the first-stage payload was downloaded," said Palo Alto in a deep dive published today. "As of March 12, 2019, Rocke actors began to also use Golang."

The first-stage payload directed the victim system to connect to a hardcoded Rocke domain or IP address which the researchers were able to use to trace and map the threat actors’ own infrastructure. The malware was also observed connecting to various cloudappconfig.com and heheda.tk URLs, as well as the IP address 104.238.151.101 among many others.

In mitigation terms, as well as (as you'd expect) buying their products, Palo Alto also recommended patching all cloudy wares within your organisation. Investigating cloud network traffic for connections to known dodgy domains and IPs is also a wise move to clear it out. Though it did not specify how many target organisations it looked at, Palo Alto reckoned that around a quarter had live Rocke infections in their cloudy boxen.

Last year Cisco Talos uncovered Rocke, attributing it to a person or persons unknown operating from China's Jiangxe Province and deploying the Cobalt Strike malware. ®

Sponsored: Technical Overview: Exasol Peek Under the Hood

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019