Researchers Xingyu Jin and Claud Xiao, of the cybersecurity firm Palo Alto Networks, published a report yesterday, January 17, regarding Monero mining malware from threat actor Rocke. The malware is said to disable cloud security software to avoid detection and mine Monero using exiting cloud servers.
According to the report, Rocke's malware targets public cloud infrastructure running on Linux servers, specifically going after cloud security products by Chinese firms Tencent Cloud and Alibaba Cloud. After gaining access, the malware uses uninstall instructions available on Tencent and Alibaba's websites and "some random blog posts on the Internet," to remove the existing cloud security without exhibiting detectable vicious behavior.
The paper notes that early versions of Rocke's malware only attempted to kill security and monitoring agents from Tencent. Because the malware's authors developed more effective ways to avoid detection, the program can now uninstall the Tencent host security agent, the Tencent cloud monitor agent, the Alibaba threat detection service agent, the Alibaba CloudMonitor agent, and the Alibaba cloud assistant agent.
Once the cloud security and monitor products are uninstalled, the malware "begins to exhibit malicious behaviors." Not only can the malware block other crypto mining malware from using the infected cloud server, it can also kill other crypto mining processes that may already exist. It can then trigger its "ultimate goal" of mining Monero from within the compromised Linux servers.
Jin and Xiao say that the Rocke group was originally discovered by Cisco's Talos Intelligence Group in August 2018. Talos' blog post calls Rocke the "Champion of Monero Miners" and outlines the malware's most recent attack – at the time of the post – in July 2018.
Earlier this month, researchers Sergio Pastrana and Guillermo Suarez-Tangil, from Universidad Carlos III de Madrid and King's College London, respectively, published their own report, estimating that hackers have mined at least 4.32 percent of the total Monero in circulation. The researchers assert that at least 2,218 active malicious mining campaigns have gathered roughly 720,000 XMR (worth $57 million), with a single campaign having mined more that 163,000 XMR, or about $18 million, at the time of the paper's publishing.
According to Jin and Xiao, Palo Alto Networks has been in contact with Tencent Cloud and Alibaba Cloud to discuss the Rocke malware's evasion techniques. "The variant of the malware used by the Rocke group," they say, "is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure."