Cloud infrastructures are a growing target for threat actors looking to mine cryptocurrency, as their vast computational power allows them to multiply the mining malware’s effect.
Keeping its presence from being noticed as long as possible is, naturally, a goal worth striving for and criminals are coming up with new ways to achieve it.
One of the approaches, employed by a threat group dubbed Rocke, is to uninstall agent-based cloud security products before downloading the mining malware and starting the mining process.
The coin miner targets Linux machines and mines Monero (by far the most popular cryptocurrency among criminals deploying mining malware).
“To deliver the malware to the victim machines, Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion. Once the C2 connection is established, malware used by Rocke group downloads shell script named as ‘a7’ to the victim machine,” Palo Alto Networks researchers discovered.
The script is capable of many things: achieving persistence through cronjobs, killing crypto mining processes that already run on the system and blocking other crypto mining malware, uninstalling agent-based cloud monitoring and security products (in the same way an admin would), downloading and running the malware, and hiding the mining process from the OS.
“During our analysis, we realized that these samples used by the Rocke group adopted new code to uninstall five different cloud security protection and monitoring products from compromised Linux servers,” the researchers noted.
The products – Alibaba Threat Detection Service, Alibaba CloudMonitor, Alibaba Cloud Assistant, Tencent Host Security and Tencent Cloud Monitor – are developed by Tencent Cloud and Alibaba Cloud, two leading Chinese cloud providers.
(To add insult to injury, the malware goes through the uninstalling process for each agent by following the steps delineated in the companies’ user guides.)
The beginning of a new trend?
The approach works, and the researchers expect this behavior to become a new trend for malware designed for targeting public cloud infrastructure.
It’s also more than likely that attackers will also turn to uninstalling other Cloud Workload Protection Platforms (CWPPs), such as those by Microsoft or cybersecurity companies such as TrendMicro and Symantec.
“The variant of the malware used by Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure,” the researchers concluded.