← threatfilter.dev / all groups / Rocke
Rocke
Overview
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "[email protected]" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 36 techniques across 10 tactics
Initial Access
Execution
-
T1053.003Cron -
T1059.004Unix Shell -
T1059.006Python
Persistence
-
T1037Boot or Logon Initialization Scripts -
T1543.002Systemd Service -
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1014Rootkit -
T1027Obfuscated Files or Information -
T1027.002Software Packing -
T1027.004Compile After Delivery -
T1036.005Match Legitimate Resource Name or Location -
T1055.002Portable Executable Injection -
T1070.004File Deletion -
T1070.006Timestomp -
T1140Deobfuscate/Decode Files or Information -
T1564.001Hidden Files and Directories -
T1574.006Dynamic Linker Hijacking
Defense Impairment
-
T1222.002Linux and Mac Permissions -
T1685Disable or Modify Tools -
T1685.006Clear Linux or Mac System Logs -
T1686Disable or Modify System Firewall
Credential Access
-
T1552.004Private Keys
Discovery
-
T1018Remote System Discovery -
T1046Network Service Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1518.001Security Software Discovery
Lateral Movement
-
T1021.004SSH
Command and Control
-
T1071Application Layer Protocol -
T1071.001Web Protocols -
T1102Web Service -
T1102.001Dead Drop Resolver -
T1105Ingress Tool Transfer -
T1571Non-Standard Port
Impact
-
T1496.001Compute Hijacking
Reporting (1)
- Rocke: The Champion of Monero Miners — Liebenberg, D.