Rocke is a cryptocurrency-mining malware variant that uses toolkits such as of Git repositories, HttpFileServers (HFS), and various payloads, including shell scripts, JavaScript backdoors, and ELF and PE miners. The malware was first seen by researchers at Cisco Talos in April 2018 delivering malware to honeypot systems vulnerable to an Apache Struts vulnerability and later exploiting an Oracle WebLogic server vulnerability and an Adobe ColdFusion vulnerability. In July 2018, researchers observed the actor distributing Rocke in a new campaign and uncovered additional information about the malware. Rocke detects and uninstalls several Chinese anti-virus programs and uses the XMRig Monero miner, and TermsHost.exe, a PE32 Monero miner. Cisco Talos researchers believe the actor will continue to leverage Git repositories to download and execute illicit mining onto victim machines. The actors likely use social engineering as their incfection vector through fake Adobe Flash and Google Chrome updates.

Technical Details and Reporting

  • Cisco Talos provides technical details on the Rocke cryptocurrency-mining malware here.