Rocke
Associated Group Descriptions |
|
| Name | Description |
|---|---|
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.(Citation: Anomali Rocke March 2019) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018) |
| Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.(Citation: Talos Rocke August 2018) |
| .006 | Command and Scripting Interpreter: Python |
Rocke has used Python-based malware to install and spread their coinminer.(Citation: Anomali Rocke March 2019) |
||
| Enterprise | T1543 | .002 | Create or Modify System Process: Systemd Service |
Rocke has installed a systemd service script to maintain persistence.(Citation: Anomali Rocke March 2019) |
| Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
Rocke has changed file permissions of files so they could not be modified.(Citation: Anomali Rocke March 2019) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Rocke downloaded a file "libprocesshider", which could hide files on the target system.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019) |
| Enterprise | T1574 | .006 | Hijack Execution Flow: Dynamic Linker Hijacking |
Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.(Citation: Anomali Rocke March 2019) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Rocke used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019) |
| .004 | Impair Defenses: Disable or Modify System Firewall |
Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.(Citation: Talos Rocke August 2018) |
||
| Enterprise | T1070 | .002 | Indicator Removal: Clear Linux or Mac System Logs |
Rocke has cleared log files within the /var/log/ folder.(Citation: Anomali Rocke March 2019) |
| .004 | Indicator Removal: File Deletion |
Rocke has deleted files on infected machines.(Citation: Anomali Rocke March 2019) |
||
| .006 | Indicator Removal: Timestomp |
Rocke has changed the time stamp of certain files.(Citation: Anomali Rocke March 2019) |
||
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Rocke has used shell scripts which download mining executables and saves them with the filename "java".(Citation: Talos Rocke August 2018) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019) |
| .004 | Obfuscated Files or Information: Compile After Delivery |
Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).(Citation: Anomali Rocke March 2019) |
||
| Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
Rocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.(Citation: Talos Rocke August 2018) |
| Enterprise | T1021 | .004 | Remote Services: SSH |
Rocke has spread its coinminer via SSH.(Citation: Anomali Rocke March 2019) |
| Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
Rocke installed a cron job that downloaded and executed files from the C2.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Rocke used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019) |
| Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.(Citation: Anomali Rocke March 2019) |
| Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.(Citation: Anomali Rocke March 2019) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.