The Mining Ninja

Augusto Remillano, Hazel Poligratis/TrendMicro

For years, malware threats have been constantly evolving due to financial gains and valuable information that can be obtained. One of the most active threat actor groups who specialize in cryptomining is the Rocke group. Operating mainly in China, the group targeted Linux servers running vulnerable services to hijack their resources for cryptocurrency mining. It is well known for using the technique of installing a rootkit in order to hide malicious activities from system monitoring tools.

We first encountered the group in October 2018. Redis servers were infected by a cryptomining malware bundled with a user land rootkit component that hides the malicious process from common monitoring tools. The rootkit uses Linux’s ld.so.preload in order to hook specific libc functions. Pastebin was also used by the group for its C&C operations, using the site to host and roll out updates for its malware.

Around April 2019, we encountered another Rocke campaign with similar tactics and techniques as last year’s. The second campaign expanded its arrival methods by using multiple exploits to propagate itself. Its rootkit component was also heavily revamped: Not only was it able to hide the miner process, but it was also already capable of forging CPU usage statistics and network traffic information.

In this study, we will provide a comprehensive end-to-end technical analysis of the two Rocke campaigns. The various effective techniques used by the group to evade detection by threat analysts and system administrators will be thoroughly explored. More importantly, we will present the methods to circumvent those techniques.

November 7 at 11:20 - 11:40, Stage A

Augusto Remillano II: Augusto Remillano II is a threat analyst and researcher at Trend Micro. His main responsibilities include conducting research on noteworthy and emerging threats and providing in-depth analysis on different kinds of malware. In addition, he also regularly contributes to the TrendLabs Security Intelligence blog. Prior to joining Trend Micro, he worked as a research assistant in the University of the Philippines Diliman where he worked on experimental network protocols.

Hazel Ann T. Poligratis: Hazel Ann Poligratis is a threat analyst and researcher at Trend Micro`s Core Tech PH Global Escalation Team. She graduated with special awards from Mapua Institute of Technology (now Mapua University) where she holds a bachelor degree in Computer Engineering. She does analysis and provide solution for malware arrivals, exploit kits, vulnerabilities and other related malicious activities in the system. She is capable of analyzing product and event logs, creating malware reports and performing in-depth analysis of malware families. Prior to this, she also did Quality Analysis involving test designs, automation, and evaluation of quality processes. In her free time, Hazel loves to travel, watch anime and play computer games.