A new malware sample “captured” and analysed by Palo Alto Networks Unit 42 has adopted code to uninstall five different cloud security protection and monitoring products from compromised Linux servers.
It is the most recently analysed example of a cryptominer used by the China-based Rocke group, originally revealed by Cisco Talos in August of 2018 and standing out (as per their blog) for exhibiting a range of “remarkable” behaviors.
The samples captured in October 2018 exploit vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion before uninstalling cloud security products from Alibaba Cloud and Tencent Cloud, Unit 42 researchers Xingyu Jin and Claud Xiao wrote.
Only then do they start to exhibit the behavior typical of such miners. (While also “killing” rival miners).
The anti-cloud defences function can uninstall:
- Alibaba Threat Detection Service agent.
- Alibaba CloudMonitor agent (Monitor CPU & memory consumption, network connectivity).
- Alibaba Cloud Assistant agent (tool for automatically managing instances).
- Tencent Host Security agent.
- Tencent Cloud Monitor agent.
Read this: Why You Need to be A Malware Sample Sceptic
While the malware – the command and control servers for which have since been shut down – only targets Cloud Workload Protection Platforms from the two Chinese vendors and is only successful at doing so post-breach (Talos described its activities somewhat dismissively as “noisy scan-and-exploit activity”), the two argued the evolution was novel enough to deserve noting and could prove the start of a trend.
“We believe this unique evasion behavior will be the new trend for malware which targets public cloud infrastructure” the two wrote, saying it has been coded to uninstall the agents based on publicly available guidance from Alibaba and Tencent on how to remove the cloud security tools.
Talos researchers have descrbied the Rocke Group as “actively engaging in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners.”
See also: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers