View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
January 21, 2019

This Malware Turns off Your Cloud Security Tools

"Unique evasion behaviour"

By CBR Staff Writer

A new malware sample “captured” and analysed by Palo Alto Networks Unit 42 has adopted code to uninstall five different cloud security protection and monitoring products from compromised Linux servers.

It is the most recently analysed example of a cryptominer used by the China-based Rocke group, originally revealed by Cisco Talos in August of 2018 and standing out (as per their blog) for exhibiting a range of “remarkable” behaviors.

The samples captured in October 2018 exploit vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion before uninstalling cloud security products from Alibaba Cloud and Tencent Cloud, Unit 42 researchers Xingyu Jin and Claud Xiao wrote.

Only then do they start to exhibit the behavior typical of such miners. (While also “killing” rival miners).

By exploiting Oracle WebLogic vulnerability CVE-2017-10271 in Linux, for example, a compromised victim machine downloads backdoor 0720.bin and opens a shell.

The anti-cloud defences function can uninstall:

  1. Alibaba Threat Detection Service agent.
  2. Alibaba CloudMonitor agent (Monitor CPU & memory consumption, network connectivity).
  3. Alibaba Cloud Assistant agent (tool for automatically managing instances).
  4. Tencent Host Security agent.
  5. Tencent Cloud Monitor agent.

Read this: Why You Need to be A Malware Sample Sceptic 

While the malware – the command and control servers for which have since been shut down – only targets Cloud Workload Protection Platforms from the two Chinese vendors and is only successful at doing so post-breach (Talos described its activities somewhat dismissively as “noisy scan-and-exploit activity”), the two argued the evolution was novel enough to deserve noting and could prove the start of a trend.

“We believe this unique evasion behavior will be the new trend for malware which targets public cloud infrastructure” the two wrote, saying it has been coded to uninstall the agents based on publicly available guidance from Alibaba and Tencent on how to remove the cloud security tools.

Content from our partners
The growing cybersecurity threats facing retailers
How to integrate security into IT operations
How Kodak evolved to tackle seismic changes in the print industry and embrace digital revolution

Talos researchers have descrbied the Rocke Group as “actively engaging in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners.”

See also: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers


Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy