Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Org's network connect to GitHub and Pastebin much? It's a Rocke road to cryptojacking country

You might also be slurping Chinese malware

Palo Alto Networks has spotted a new cryptomining malware technique that not only wipes out any other miners present on the target machine but uses GitHub and Pastebin as part of its command-and-control (C2) infrastructure.

The malware, believed to originate from a Chinese cybercrime group nicknamed Rocke, targets cloud infrastructure in order to plant cryptocurrency mining software, potentially causing much larger metered usage bills for companies falling victim to it.

"Rocke, which primarily targets public cloud infrastructure for criminal gain, continues to evolve its tools and take advantage of poorly configured cloud infrastructures using vulnerabilities released in 2016 and 2017," said Palo Alto, adding that the malware peddlers were "able to conduct operations with little interference and limited detection risk".

It continued: "The group can gain administrative access to cloud systems using malware that is able to remain hidden from basic investigations. Compromised systems then perform predictable and detectable network actions to known Rocke hardcoded IP addresses or Rocke-owned domains."

The basic compromise vector is, as ever, phishing. Once the target organisation has been successfully phished, the malware is deployed and executed from download and C2 sources including GitHub and Pastebin.

"The group's first cryptomining operations were written in Python and used Pastebin or GitHub as the code repository from which the first-stage payload was downloaded," said Palo Alto in a deep dive published today. "As of March 12, 2019, Rocke actors began to also use Golang."

The first-stage payload directed the victim system to connect to a hardcoded Rocke domain or IP address which the researchers were able to use to trace and map the threat actors’ own infrastructure. The malware was also observed connecting to various cloudappconfig.com and heheda.tk URLs, as well as the IP address 104.238.151.101 among many others.

In mitigation terms, as well as (as you'd expect) buying their products, Palo Alto also recommended patching all cloudy wares within your organisation. Investigating cloud network traffic for connections to known dodgy domains and IPs is also a wise move to clear it out. Though it did not specify how many target organisations it looked at, Palo Alto reckoned that around a quarter had live Rocke infections in their cloudy boxen.

Last year Cisco Talos uncovered Rocke, attributing it to a person or persons unknown operating from China's Jiangxe Province and deploying the Cobalt Strike malware. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like