{ "id": "5d224dad-8d10-41d1-9bd9-6110b4fb1bba", "created_at": "2026-04-06T00:14:21.863324Z", "updated_at": "2026-04-10T03:28:24.254076Z", "deleted_at": null, "sha1_hash": "2f720cf793ed13ecc893e1aeb5879063b762bbcd", "title": "New Rocke Variant Ready to Box Any Mining Challengers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3743742, "plain_text": "New Rocke Variant Ready to Box Any Mining Challengers\r\nBy Joie Salvio\r\nPublished: 2019-05-28 · Archived: 2026-04-05 14:51:59 UTC\r\nFortiGuard Labs Breaking Threat Research\r\nFortiGuard Labs has been monitoring a Linux coin mining campaign from “Rocke” – a malware threat group\r\nspecializing in cryptomining. Over the past month we have seen new features constantly being added to the\r\nmalware. For instance, in their latest major update, they have added a function that exploits systems running the\r\nsoftware development automation server Jenkins to increase their chance of infecting more systems, thereby\r\ngenerating more profits. In addition, they have also evolved their malware by adding new attack stages, as well as\r\nnew redundancies in its multi-component execution to make it more dynamic and flexible.\r\nThis post will go through the general behaviour of the malware as well as the new features we have documented\r\nhaving been added during our monitoring.\r\nFigure 1: Basic Execution Flow\r\nStage1 and Stage2\r\nThe malicious bash script components of the malware are hosted in Pastebin, with the profile name\r\n“SYSTEMTEN”, which is very similar to previous names used by the “Rocke” threat group. It’s worth noting that\r\nmost of the time there can be several paste links that point to the same script. Presumably, the redundancy is for\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 1 of 15\n\noperational continuity in case, for some reason, other links are removed. The paste links for the scripts seem to\r\nchange every few days so that manually monitoring the threat can be tedious. Similar redundancies can also be\r\nfound in other parts of this malware’s behavior.\r\nFigure 2: Pastebin Profile Hosting the Scripts\r\nIn a nutshell, the infection begins after the execution of the Stage1 script, which may be installed to a system\r\nthrough various means, including manual intrusions, lateral movement from previous infections inside the\r\nnetwork, from classic automated internet vulnerability scanning, service login brute-forcing, and exploitations.\r\nThe sole purpose of the Stage1 script is simply to download the Stage2 script via either wget or curl command and\r\nthen execute it.\r\nFigure 3: Stage1 Script\r\nThe Stage2 portion of the attack then performs the following:\r\nAdds a CRON job that downloads and executes the Stage1 script periodically. In this case, * * * *\r\n* means the script will execute every minute.\r\nFigure 4: Adding CRON Job for Stage1\r\nMaximizes usage of the system’s processing power by terminating processes related to other miners.\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 2 of 15\n\nFigure 5: Terminating Existing Miners\r\nDownloads the main payload binary appropriate to the system’s architecture (x32/x64). Two different\r\ndownload URLs are assigned to each architecture just in case either of them is inaccessible. It is also\r\ninteresting to note that there is often a link that contains a timestamp suggesting its upload or compile time.\r\nFigure 6: Downloading Main Payload\r\nIn older variants, the download links would all lead straight to the binary payload—until just a few days ago,\r\nwhen they decided to add a new loader stage before the actual execution of the payload. In the case of this recent\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 3 of 15\n\nversion, some of the links are now serving large python scripts embedded with the base64-encoded ELF binary,\r\nwhich then decompresses and executes the main binary payload.\r\nFigure 7: New Loader Binary for the Main Payload\r\nThe malware is spread laterally by executing the Stage1 script and accessing the SSH known_hosts file,\r\nwhich contains SSH hosts that the victim’s system had previously connected to. A second test is performed\r\nto verify that public key authentication is possible.\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 4 of 15\n\nFigure 8: Propagating Through SSH known_hosts\r\nMain Payload\r\nThe main binary acts as a manager to the malware’s operation in the system. It ensures that the components are\r\nregularly updated, persistent, and hidden from the user. And ultimately, it executes the cryptominer.\r\nCompression\r\nThe main payload is coded in Go Language (GoLang), and at first had been packed with a simple UPX. However,\r\nin March of this year, they switched to a “custom” UPX compression simply by changing the packed binaries’\r\nsection names to “LSD!”. It is a simple trick, but it can be very effective in evading file-based detection due to the\r\nfact that in most cases, engines can only decompress UPX-compressed files with proper headers. \r\nFigure 9: Malware Switches to Custom UPX\r\nPersistence and Stealth Mechanisms\r\nThis malware employs multiple persistence and stealth mechanisms to ensure its mining operation in an infected\r\nsystem.\r\nIt adds the service netdns to ensure that the payload binary, /usr/sbin/kerberods, executes on boot up.\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 5 of 15\n\nFigure 10: Init Scripts for the Malware Service\r\nSeveral CRON jobs have also been added that regularly download and execute the Stage1 script. This keeps the\r\ncomponents updated to new developments from the threat developers. In older versions, these Pastebin URLs\r\nwere all straightforward and hardcoded in the binary. In more recent variants, however, the Pastebin IDs have\r\nbecome more dynamic. Another stage was also added in the form of a new Pastebin URL where the IDs can be\r\nobtained. In case this URL is inaccessible, however, a hardcoded ID is still available for the malware to use.\r\nFigure 11: Added CRON Jobs Pointing to the Stage1 Script\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 6 of 15\n\nTo hide its mining operation, a hooking library (usr/local/lib/\u003cfilename\u003e.so) is installed for dynamic library\r\npreloading. It does this by adding the library’s path to ld.preload.so. In effect, the library is loaded to all new\r\nprocesses.\r\nThe library’s filename is obtained by randomly choosing from a list of hardcoded strings in the binary, contrary to\r\nthe older variants that simply used one hardcoded filename. The image below shows just a few of the filenames\r\nthat it can use.\r\nFigure 12: Snippet of filename List\r\nIn a nutshell, the malware’s library component hooks functions so that any application trying to access\r\ninformation related to the malware will be presented with a fake result. These functions are related to the listing of\r\nfiles, network activities, processes, and CPU usage information. \r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 7 of 15\n\nFigure 13: Library with Hooked Functions Highlighted\r\nFor instance, if an application is trying to list a directory where a component of the malware resides, the library\r\nensures that the malicious file will not be included in the result. To achieve this, the malware hooks the fopen API.\r\nThe same principle applies to the other artifacts related to it, adding difficulty for victims to discover and remove\r\nthe malware.\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 8 of 15\n\nFigure 14: Hook Function For fopen\r\nFigure 15: Hidden Library Function\r\nIn the case of concealing actual CPU statistics, if an application attempts to read the /proc/stat file, the function\r\nforce_proc_cpu is called to return a hardcoded statistic showing a 0% CPU usage.\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 9 of 15\n\nFigure 16: Function that Returns the Fake proc/stat\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 10 of 15\n\nFigure 17: top Tool Display Before and After the Malicious Library is Preloaded\r\nPropagation\r\nIn earlier versions deployed in this campaign, this malware spread through a classic credential brute-force method\r\ntargeting SSH (port 22) and Redis (port 6379) services. Basically, it scanned every IP address in the network and\r\nattempted to establish a session to these services using a long hardcoded list of credentials.\r\nHowever, around a month ago, the threat actors started targeting systems that run Jenkins by attempting to exploit\r\nCVE-2018-1000861 and CVE-2019-1003000. \r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 11 of 15\n\nFigure 18: Propagate via CVE-2019-1003000\r\nFigure 19: Propagate via CVE-2018-1000861\r\nMiner\r\nThis campaign uses the open-source XMRig CPU miner. In older versions, a separate configuration file was\r\ndropped to the system with all the information included, including the wallet address of the threat actors and the\r\nmining pool that they use.\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 12 of 15\n\nFigure 20: Miner Config from Older Versions\r\nIn these latest versions, the configuration is now embedded in the binary. The malware now uses a proxy server\r\nsystemten.org:51640, (most probably running an xmrig-proxy service) for the mining traffic, where the wallet\r\naddress and mining pool are configured. This means the infected host miners are not required to have the\r\nparameters, thereby effectively hiding the details for further investigation. Note that the port may change\r\ndepending on the variant.\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 13 of 15\n\nFigure 21: Embedded Miner Configuration with the Mining Pool Proxy\r\nConclusion\r\nThrough constant monitoring, we have observed that this is a very active campaign, often pushing multiple\r\nupdates in a single day to add more features to their cryptomining scheme.\r\nBy utilizing a hook library, it is more complicated for users to manually detect and remove the infection from their\r\nsystems, giving the threat actors more time to generate profit. We have also observed that they have started to add\r\nfeatures to expand their infection by targeting system vulnerabilities, and given the recent rate of development, it’s\r\nlikely that they will be adding more of these in the near future.\r\nAs always, FortiGuard Labs will be on the lookout for this campaign.\r\n-= FortiGuard Lion Team =-\r\nSolutions\r\nFortinet customers are protected by the following solutions:\r\nThe Jenkins exploits are detected by our IPS signature\r\nJenkins.Script.Plugin.Authenticated.Remote.Command.Execution\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 14 of 15\n\nThe traffic to the  xmrig-proxy can be blocked using the application control signature\r\nBitcoin.Cryptocurrency.Miner\r\nAll malicious samples are detected as Linux/Agent.BQ!tr\r\nThe miner’s proxy server is blocked by FortiGuard Web Filtering Service.\r\nIOCs\r\nFiles\r\nfbbb28ed10c792b4a29748795cba26f78d28cf13d8b7b042d6de4f3ea1401399\r\n3a6271a90d0f6cc8a2d31d45d931e8401f13f7377932ba07d871dc42f252b9ca\r\n63c7f944bf8b9f4db9a8cf6d47a6d4026bba776478c1315c2888ecff603d73a1\r\n1608899ff3bd9983df375fd836464500f160f6305fcc35cfb64abbe94643c962\r\nf6712249b3c27772daf815d459577c2c88a3aef6b66dfd0986ac9277a8bb35e1\r\nea682b4aa3885657fe15f76cc3f97322547ca21f347069cd3c78b152a0155781\r\n5eda73b869c22f92c78547995acbba5ff794ea24f5da72af2d653600411d6c97\r\n3f8683fa08a5ae5964f4ee4962465b16c12075480e24a269d151ce1130c77d8c\r\nb383d0fdfa5036ccfa5d9c2b43cbfd814bce8778978873057b86678e5295fc61\r\nURLs\r\nsystemten.org\r\nhttps://pastebin[.]com/raw/Xu86DLj0\r\nhttps://pastebin[.]com/raw/0DqEa3Gn\r\nhttps://pastebin[.]com/raw/Ei4z3RQ7\r\nhTTps://pastebin[.]com/raw/XiUrwYe9\r\nhttps://pastebin[.]com/raw/rPB8eDpu\r\nhttps://pastebin[.]com/raw/HWBVXK6H \r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices. \r\nSource: https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nhttps://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html" ], "report_names": [ "rocke-variant-ready-to-box-mining-challengers.html" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434461, "ts_updated_at": 1775791704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f720cf793ed13ecc893e1aeb5879063b762bbcd.pdf", "text": "https://archive.orkl.eu/2f720cf793ed13ecc893e1aeb5879063b762bbcd.txt", "img": "https://archive.orkl.eu/2f720cf793ed13ecc893e1aeb5879063b762bbcd.jpg" } }