Rocke Cryptojacking

The Rocke Cryptojacking is a collective term for a campaign of non-consensual Monero-mining attacks that utilize a variety of threats, including ones running through the pages on your browser, as well as Trojans and other programs that you may install on your computer unintentionally. Since the Rocke Cryptojacking encompasses different threatening software and scripts types, the victims should use multiple defenses against it as outlined in this article. Since unsafely-configured mining can cause hardware damage, you always should disinfect any PC that's compromised by the Rocke Cryptojacking by running an appropriate anti-malware program.

The New Miner on the Block is Wearing Many Hats

The cyber-security community is tracking a months-long series of activities associated with harmful cryptocurrency-mining infections, with new data revealed by the Cisco conglomerate's Talos sub-division providing some insight into the responsible threat actors. This campaign is distinguishing itself from similar mining attacks by deploying a flexible range of different threatening software and scripts types, rather than limiting itself to a singular one. The overall spread of security risks and infections is being named the Rocke Cryptojacking, which gets its label from the Chinese-based e-mail address associated with its website registrations.

The Rocke Cryptojacking is leveraging free, Git-based domains (such as Gitee, Github, or Gitlab) for hosting the downloads, which can compromise their victims via server vulnerabilities like the CVE-2017-10271 or Java object deserializations that facilitate an unauthorized execution of remote code. Although the overall aim of the Rocke Cryptojacking is the generation of Monero cryptocurrency for Rocke's wallets, malware experts also warn that some of the security breaches include deploying threats like the Cobalt Strike that could provide backdoor access to the system for other attacks.

Some general examples of the different threats that the Rocke Cryptojacking is utilizing since April of this year include:

• XMRig, an open-source mining program that can be used both as safe software or with a harmful intention (by configuring it to run with unsafe settings or hiding its UI from the user).
• TermsHost, in contrast, is a mining Trojan that injects itself into other processes, bypasses the network's firewall security, uses a Registry exploit for its system persistence and is available to any threat actor who's willing to pay a fourteen dollar usage fee.
• Rocke also is using several variants of XMRig and XMR-Stak, the latter being a mining program that supports generating more types of cryptocurrencies than just Monero.

Don't Let Your CPU Get Rocked

Since the Rocke Cryptojacking campaign encompasses multiple threatening mining threat types and similarly flexible distribution exploits, no single defense strategy is adequate against it. However, malware experts do note that installing the appropriate security updates for the relevant software, such as Adobe’s ColdFusion and Oracle’s WebLogic, may counteract the known vulnerabilities that Rocke exploits. Staying current with patches also protects the PC from other threats that are of use in different campaigns, such as the drive-by-downloads of the XMR-RIG Exploit Kit.

Not all mining-based threats in use by the Rocke Cryptojacking campaign may cause any symptoms for the user; many cryptocurrency miners include 'throttling' configuration options that stop the program from running when the PC is in active use. Additionally, some browser-based threats may not require installing onto the computer at all. Users should update their anti-malware solutions and scan new downloads before opening them as a general precaution against the Rocke Cryptojacking, and monitor their hardware usage, especially the GPU and CPU, for any unexpected behavior or degradation.

The creation of cryptocurrency was a financial good for humanity, but bad-faith actors are continuing to turn it into a poisoned gift. Only time will tell what else the Rocke Cryptojacking has in store for its victims, but there's never any good from letting a criminal make money off of abusing your computer.