Malware used by “Rocke” group evolves to evade detection by cloud security products

Palo Alto Networks Unit 42 recently captured and investigated new samples of the Linux coin mining malware used by the Rocke group. The family was suspected to be developed by the Iron cybercrime group and it’s also associated with the Xbash malware reported on last month. The threat actor Rocke was originally revealed by Talos in August of 2018 and many remarkable behaviors were disclosed in their blog post. During the analysis, the researchers realized that these samples used by Rocke group adopted new code to uninstall five different cloud security protection and monitoring products from compromised Linux servers. In the analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.