Cryptomining Malware Evades Detection By Cloud Security Products
Palo Alto Networks Unit 42 recently captured and investigated new samples of the Linux coin mining malware used by the Rocke group. The family was suspected to be developed by the Iron cybercrime group and it’s also associated with the Xbash malware we reported on in September of 2018. The threat actor Rocke was originally revealed by Talos in August of 2018. The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines.
Security researchers say they have discovered a unique malware family capable of gaining admin rights on targeted systems by uninstalling cloud-security products. Instances of the malicious activity are tied to coin-mining malware targeting Linux servers.
Palo Alto Networks’ Unit 42, which published the report Thursday, said that the malware samples it found do not compromise, end-run or attack the security and monitoring products in question; they rather simply uninstall them from compromised Linux servers.
“In our analysis, these attacks did not compromise these security products: Rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would,” Xingyu Jin and Claud Xiao, Unit 42 researchers, said in a technical write-up.
Specifically, the malware samples set about uninstalling products developed by Tencent Cloud and Alibaba Cloud (Aliyun), two leading cloud providers in China that are expanding their business globally, researchers said. These security suites include key features such as Trojan detection and removal based on machine learning, logging activity audits and vulnerability management.
Malware Attack Process:
The new Cryptomining malware is being actively used by the Rocke threat group. Rocke was first reported by Cisco Talos in July 2018, and pegged as an increasingly formidable Chinese-language threat actor leveraging a wide array of Git repositories to infect vulnerable systems with Monero-based cryptomining malware.
To deliver the malware to the victim machines, Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion, Unit 42 researcher said. Once the malware is downloaded, it establishes a command and control server connection and downloads a shell script called “a7” on the system. The behaviours of a7 include:
It is at this stage where the latest malware samples flaunt a function that deploys the never-before-seen trick: they can uninstall cloud workload protection platforms, the agent-based security protection solutions for public cloud infrastructure.
That includes the Alibaba Threat Detection Service agent, Alibaba CloudMonitor Agent, Alibaba Cloud Assistant agent; as well as the Tencent Host Security agent and Tencent Cloud Monitor agent.
The Tencent Cloud and Alibaba Cloud official websites provide documents to guide users about how to uninstall their cloud security products; researchers said it appears the new malware samples used by Rocke group follow these official uninstallation procedures.
Public cloud infrastructure is one of the main targets for this cybercrime group. Realizing the existing cloud monitor and security products may detect the possible malware intrusion, malware authors continue to create new evasion technologies to avoid being detected by cloud security product. The variant of the malware used by the Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure.