ETHERLive
ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.

---

24hr ---
--%
RESOURCES

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More
SUBMIT

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story

Explanation

Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
---
--%
Home
News
Etherlive
Ether Price Analysis
Resources
Contact Us
ETHNews will sunset at the end of August. The site will remain accessible for a few weeks while necessary maintenance is performed. Thanks, as always, for reading.

Malware Mines Monero On Cloud Servers

By

Nicholas

Ruggieri

WriterETHNews.com

Despite the title’s alliteration, Rocke’s malware is anything but whimsical.

Researchers Xingyu Jin and Claud Xiao, of the cybersecurity firm Palo Alto Networks, published a report yesterday, January 17, regarding Monero mining malware from threat actor Rocke. The malware is said to disable cloud security software to avoid detection and mine Monero using exiting cloud servers.

According to the report, Rocke's malware targets public cloud infrastructure running on Linux servers, specifically going after cloud security products by Chinese firms Tencent Cloud and Alibaba Cloud. After gaining access, the malware uses uninstall instructions available on Tencent and Alibaba's websites and "some random blog posts on the Internet," to remove the existing cloud security without exhibiting detectable vicious behavior.

The paper notes that early versions of Rocke's malware only attempted to kill security and monitoring agents from Tencent. Because the malware's authors developed more effective ways to avoid detection, the program can now uninstall the Tencent host security agent, the Tencent cloud monitor agent, the Alibaba threat detection service agent, the Alibaba CloudMonitor agent, and the Alibaba cloud assistant agent.

Once the cloud security and monitor products are uninstalled, the malware "begins to exhibit malicious behaviors." Not only can the malware block other crypto mining malware from using the infected cloud server, it can also kill other crypto mining processes that may already exist. It can then trigger its "ultimate goal" of mining Monero from within the compromised Linux servers.

Jin and Xiao say that the Rocke group was originally discovered by Cisco's Talos Intelligence Group in August 2018. Talos' blog post calls Rocke the "Champion of Monero Miners" and outlines the malware's most recent attack – at the time of the post – in July 2018.

Earlier this month, researchers Sergio Pastrana and Guillermo Suarez-Tangil, from Universidad Carlos III de Madrid and King's College London, respectively, published their own report, estimating that hackers have mined at least 4.32 percent of the total Monero in circulation. The researchers assert that at least 2,218 active malicious mining campaigns have gathered roughly 720,000 XMR (worth $57 million), with a single campaign having mined more that 163,000 XMR, or about $18 million, at the time of the paper's publishing.

According to Jin and Xiao, Palo Alto Networks has been in contact with Tencent Cloud and Alibaba Cloud to discuss the Rocke malware's evasion techniques. "The variant of the malware used by the Rocke group," they say, "is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure."

Nicholas Ruggieri

Nicholas Ruggieri studied English with an emphasis in creative writing at the University of Nevada, Reno. When he’s not quoting Vines at anyone who’s willing to listen, you’ll find him listening to too many podcasts, reading too many books, and crocheting too many sweaters for his dogs, RT and Peterman.

ETHNews is committed to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest Monero, malware or other Ethereum cryptocurrencies and tokens news.