View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
January 21, 2019

This Malware Turns off Your Cloud Security Tools

"Unique evasion behaviour"

By CBR Staff Writer

A new malware sample “captured” and analysed by Palo Alto Networks Unit 42 has adopted code to uninstall five different cloud security protection and monitoring products from compromised Linux servers.

It is the most recently analysed example of a cryptominer used by the China-based Rocke group, originally revealed by Cisco Talos in August of 2018 and standing out (as per their blog) for exhibiting a range of “remarkable” behaviors.

The samples captured in October 2018 exploit vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion before uninstalling cloud security products from Alibaba Cloud and Tencent Cloud, Unit 42 researchers Xingyu Jin and Claud Xiao wrote.

Only then do they start to exhibit the behavior typical of such miners. (While also “killing” rival miners).

By exploiting Oracle WebLogic vulnerability CVE-2017-10271 in Linux, for example, a compromised victim machine downloads backdoor 0720.bin and opens a shell.

The anti-cloud defences function can uninstall:

  1. Alibaba Threat Detection Service agent.
  2. Alibaba CloudMonitor agent (Monitor CPU & memory consumption, network connectivity).
  3. Alibaba Cloud Assistant agent (tool for automatically managing instances).
  4. Tencent Host Security agent.
  5. Tencent Cloud Monitor agent.

Read this: Why You Need to be A Malware Sample Sceptic 

While the malware – the command and control servers for which have since been shut down – only targets Cloud Workload Protection Platforms from the two Chinese vendors and is only successful at doing so post-breach (Talos described its activities somewhat dismissively as “noisy scan-and-exploit activity”), the two argued the evolution was novel enough to deserve noting and could prove the start of a trend.

“We believe this unique evasion behavior will be the new trend for malware which targets public cloud infrastructure” the two wrote, saying it has been coded to uninstall the agents based on publicly available guidance from Alibaba and Tencent on how to remove the cloud security tools.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Talos researchers have descrbied the Rocke Group as “actively engaging in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners.”

See also: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.