A new malware sample “captured” and analysed by Palo Alto Networks Unit 42 has adopted code to uninstall five different cloud security protection and monitoring products from compromised Linux servers.
It is the most recently analysed example of a cryptominer used by the China-based Rocke group, originally revealed by Cisco Talos in August of 2018 and standing out (as per their blog) for exhibiting a range of “remarkable” behaviors.
The samples captured in October 2018 exploit vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion before uninstalling cloud security products from Alibaba Cloud and Tencent Cloud, Unit 42 researchers Xingyu Jin and Claud Xiao wrote.
Only then do they start to exhibit the behavior typical of such miners. (While also “killing” rival miners).
While the malware – the command and control servers for which have since been shut down – only targets Cloud Workload Protection Platforms from the two Chinese vendors and is only successful at doing so post-breach (Talos described its activities somewhat dismissively as “noisy scan-and-exploit activity”), the two argued the evolution was novel enough to deserve noting and could prove the start of a trend.
“We believe this unique evasion behavior will be the new trend for malware which targets public cloud infrastructure” the two wrote, saying it has been coded to uninstall the agents based on publicly available guidance from Alibaba and Tencent on how to remove the cloud security tools.