The IT security team of Palo Alto Networks, the 42 "unit, has identified a new campaign to extract the Monero cryptocurrency on Chinese public cloud networks:
"The Palo Alto networks have recently captured and studied new samples of the coin mining malware used by the Rocke group, the family was suspected of being developed by the Iron crime group and also associated with the reported Xbash malware in September 2018. "
According to Talos intelligence, "the Rocke threat actor" is a Chinese-language malware perver responsible for "taking advantage of Western and Chinese Git repositories to deliver malware to honeypot systems …"
In his latest exploit, Rocke has targeted public clouds managed by Alibaba and Tencent: the Tencent Cloud and Alibaba Cloud (Aliyun).
According to Palo Alto:
"To our knowledge, this is the first family of malware that has developed the unique ability to detect and remove cloud security products, which also highlights a new challenge for products in the cloud workload protection platform market. defined by Gartner. "
The attack involves uninstalling in-cloud security, so that Monero mining malware can be run using the computing power of the cloud.
The extracted proceeds are then sent to the attackers. Alibaba and Tencent, "the two leading cloud service providers in China that are expanding their business globally," have been left to pay the resulting electricity bills.
Monero is a currency favored by crypto-mining malware vendors because it has the best reputation and most liquidity of the "private currency" cryptocurrencies.
Unlike Bitcoin, both the Monero user data and the ledger are obscured.
Numerous public systems, including the Starbucks wifi, have been successfully hijacked to secretly extract Monero on behalf of hackers.
Clouds are effective targets because they are connected to enormous pools of computing power. More computing power means more encryption profits.
Palo Alto states that Rocke's first move in the cloud attack is "to get full administrative control over the hosts and then abuse the complete administrative control to uninstall the products … (security) in the same way that a legitimate administrator would."
Palo Alto Networks Unit 42 is now working with Tencent Cloud and Alibaba Cloud, "to tackle the problem of malware evasion and its C2 infrastructure".
The attackers also "continued to develop more effective ways to circumvent detection by killing multiple agent-based cloud security services".
The removal of Rocke's defenses against the cloud in the cloud has been quite complete:
"This function can uninstall:
- Alibaba Threat Detection Service Agent.
- Alibaba CloudMonitor Agent (Monitors CPU and memory consumption, network connectivity).
- Alibaba Cloud Assistant Agent (tool for the automatic management of instances).
- Tencent Host Security Agent.
- Tencent Cloud Monitor Agent. "
Palo Alto states that this type of malicious cloud-cryptomining could be the future:
"We believe this unique evasion behavior will be the new trend for malware targeting public cloud infrastructure."
The Rocke attacks show that the development of advanced cloud security technologies is likely:
"The variant of malware used by the Rocke group is an example that shows that the agent-based cloud security solution may not be sufficient to prevent evasive malware targeting public cloud infrastructure."