misp-circl-feed/feeds/circl/misp/5c439ed9-0028-4c97-b3a2-4cea02de0b81.json

1 line
11 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{"Event": {"info": "OSINT - Malware Used by \u201cRocke\u201d Group Evolves to Evade Detection by Cloud Security Products", "Tag": [{"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:tool=\"Xbash\""}, {"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#0071c3", "exportable": true, "name": "osint:lifetime=\"perpetual\""}, {"colour": "#0087e8", "exportable": true, "name": "osint:certainty=\"50\""}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}], "publish_timestamp": "0", "timestamp": "1547935810", "analysis": "0", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5c439eef-3ac4-4434-80cd-439402de0b81", "timestamp": "1547935471", "to_ids": false, "value": "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5c439f03-fadc-4d85-b07d-45f902de0b81", "timestamp": "1547935491", "to_ids": false, "value": "Palo Alto Networks Unit 42 recently captured and investigated new samples of the Linux coin mining malware used by the Rocke group. The family was suspected to be developed by the Iron cybercrime group and it\u2019s also associated with the Xbash malware we reported on in September of 2018. The threat actor Rocke was originally revealed by Talos in August of 2018 and many remarkable behaviors were disclosed in their blog post. The samples described in this report were collected in October of 2018, and since that time the command and control servers they use have been shut down.\r\n\r\nDuring our analysis, we realized that these samples used by the Rocke group adopted new code to uninstall five different cloud security protection and monitoring products from compromised Linux servers. In our analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.\r\n\r\nThese products were developed by Tencent Cloud and Alibaba Cloud (Aliyun), the two leading cloud providers in China that are expanding their business globally. To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products. This also highlights a new challenge for products in the Cloud Workload Protection Platforms market defined by Gartner.", "disable_correlation": false, "object_relation": null, "type": "text"}, {"comment": "Sample with the evasion behavior", "category": "Payload delivery", "uuid": "5c439fd1-ece0-421c-90e3-43ea02de0b81", "timestamp": "1547935697", "to_ids": true, "value": "2e3e8f980fde5757248e1c72ab8857eb2aea9ef4a37517261a1b013e3dc9e3c4", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Sample with the evasion behavior", "category": "Payload delivery", "uuid": "5c439fd2-77e4-4abd-b606-43bc02de0b81", "timestamp": "1547935698", "to_ids": true, "value": "2f603054dda69c2ac1e49c916ea4a4b1ae6961ec3c01d65f16929d445a564355", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Sample with the evasion behavior", "category": "Payload delivery", "uuid": "5c439fd2-d5b8-4f82-8273-4f0f02de0b81", "timestamp": "1547935698", "to_ids": true, "value": "28ea5d2e44538cd7fec11a28cce7c86fe208b2e8f53d57bf8a18957adb90c5ab", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Sample with the evasion behavior", "category": "Payload delivery", "uuid": "5c439fd3-fa2c-45d9-9b5e-42fe02de0b81", "timestamp": "1547935699", "to_ids": true, "value": "232c771f38da79d5b8f7c6c57ddb4f7a8d6d44f8bca41be4407ed4923096c700", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Sample with the evasion behavior", "category": "Payload delivery", "uuid": "5c439fd3-c2dc-4594-9f10-4bf102de0b81", "timestamp": "154