Malware used by Rocke group evolves to evade detection by cloud security products
Palo Alto Networks Unit 42 recently captured and investigated new samples of the Linux coin mining malware used by the Rocke group. The family was suspected to be developed by the Iron cybercrime group and it’s also associated with the Xbash malware reported on last month. The threat actor Rocke was originally revealed by Talos in August of 2018 and many remarkable behaviors were disclosed in their blog post.
During the analysis, the researchers realized that these samples used by Rocke group adopted new code to uninstall five different cloud security protection and monitoring products from compromised Linux servers. In the analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.
These products were developed by Tencent Cloud and Alibaba Cloud (Aliyun), the two leading cloud providers in China that are expanding their business globally. To the best of knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products. This also highlights a new challenge for products in the Cloud Workload Protection Platforms market defined by Gartner.
The Coin Miner used by Rocke Group
The threat actor Rocke was first reported by Cisco Talos in late July 2018. The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines.
To deliver the malware to the victim machines, Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion. For example, by exploiting Oracle WebLogic vulnerability CVE-2017-10271 in Linux shown in Figure 1, a compromised Linux victim machine downloads backdoor 0720.bin and opens a shell.
Cloud Workload Protection Platforms
According to Gartner, Cloud Workload Protection Platforms (CWPPs) are the agent- based workload-centric security protection solutions. To mitigate the impact of
malware intrusion in public cloud infrastructure, cloud service providers develop their own CWPPs as the server security operation & management products.
For example, Tencent Cloud offers Tencent Host Security with various security protection services. According to its “Product Overview” document, Tencent Host Security provides key security features like trojan detection and removal based on machine learning, password cracking alert, logging activity audit, vulnerability management and asset management.
Alibaba Cloud (Aliyun) also offers cloud security product called Threat Detection Service Alibaba Cloud Threat Detection Service provides security services like malware scanning and removal, vulnerability management, log analysis and threat analysis based on big data.
Third-party cybersecurity companies also provide CWPPs. For instance, Trend Micro, Symantec and Microsoft have their own cloud security products for public cloud infrastructure. As with all security products, adversaries inevitably work to evade these systems to be able to achieve their ultimate goals.
Evading detection from Cloud Workload Protection Platforms
In response to agent-based Cloud Workload Protection Platforms from cloud service providers, malware used by Rocke group gradually develops the capability to evade detection before exhibiting any malicious behaviors. To be more specific, the malware uninstalls cloud security products by Alibaba Cloud and Tencent Cloud.
In the early version of the malware used by Rocke, it only attempts to kill Tencent Cloud Monitor process
Realizing that killing cloud monitor service alone is not enough to evade detection by agent-based cloud security products, the malware authors continue developing more effective methods to evade detection by killing more agent-based cloud security services.
The Tencent Cloud and Alibaba Cloud official websites provide documents to guide users about how to uninstall their cloud security products. The document for uninstalling Alibaba Threat Detection Service
The malware used by Rocke group follows the uninstallation procedure provided by Alibaba Cloud and Tencent Cloud as well as some random blog posts on the Internet. The key uninstall function.
After agent-based cloud security and monitor products are uninstalled, the malware used by Rocke group begins to exhibit malicious behaviors. It is believe this unique evasion behavior will be the new trend for malwares which target at public cloud infrastructure.
Palo Alto Networks Unit 42 has been cooperated with Tencent Cloud and Alibaba Cloud to address the malware evasion problem and its C2 infrastructure. Additionally, the malicious C2 domains are identified by the PAN-DB URL Filtering.
Conclusion
Public cloud infrastructure is one of the main targets for cybercrime group. Realizing the existing cloud monitor and security products may detect the possible malware intrusion, malware authors continue to create new evasion technologies to avoid being detected by cloud security product.
The variant of the malware used by Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure.