{
	"id": "42fe01d6-7cfb-4ba9-b765-35286f31341d",
	"created_at": "2026-04-06T00:08:11.420449Z",
	"updated_at": "2026-04-10T03:32:45.897591Z",
	"deleted_at": null,
	"sha1_hash": "56180159314949b2e90170af26a62b33bc972ea9",
	"title": "Rocke'in the NetFlow",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 277874,
	"plain_text": "Rocke'in the NetFlow\r\nBy Nathaniel Quist\r\nPublished: 2019-08-01 · Archived: 2026-04-05 22:28:55 UTC\r\nExecutive Summary\r\nUnit 42 spent six months researching the China-based cybercrime group Rocke, which is the best-known threat\r\nactor engaged in cryptomining operations targeting the cloud. We released high-level results from our\r\ninvestigation of Rocke in our recent cloud threat report. This research report provides a deep dive into our\r\ninvestigation of Rocke, which concluded that the group is able to conduct operations with little interference and\r\nlimited detection risk.\r\nBy analyzing NetFlow data from December 2018 to June 16, 2019, we found that 28.1% of the cloud\r\nenvironments we surveyed had at least one fully established network connection with at least one known Rocke\r\ncommand-and-control (C2) domain. Several of those organizations maintained near daily connections.\r\nMeanwhile, 20% of the organizations maintained hourly heartbeats consistent with Rocke tactics, techniques, and\r\nprocedures (TTPs).\r\nThe group has also released a new tool called Godlua, which could function as an agent, allowing the group’s\r\nactors to perform additional scripted operations, including denial of service (DoS) attacks, network proxying, and\r\ntwo shell capabilities. Unit 42 also discovered network traffic identification patterns within NetFlow traffic that\r\nprovide unique insight into Rocke TTPs and how defenders can develop detection capabilities.\r\nIntro to Rocke\r\nThe activities of Rocke, aka the Iron Group, SystemTen, Kerberods/Khugepageds, and even ex-Rocke, were\r\noriginally reported in August 2018. Researchers have since blogged on its use of the Golang programming\r\nlanguage and the new backdoor, Godlua. There is an operational blog mapping Rocke operations to the MITRE\r\nATT\u0026CK framework. Unit 42 has also published blogs on the group’s Xbash ransomware tool and its cloud\r\nsecurity evasion and cryptomining techniques.\r\nRocke was initially associated with ransomware campaigns through the use of its Linux-focused Xbash tool, a\r\ndata-destruction malware similar in functionality to NotPetya. NotPetya used the EternalBlue exploit to propagate\r\nacross a network. Xbash performed lateral movement by leveraging an organization’s unpatched vulnerabilities\r\nand use of weak passwords, which potentially limited its overall effectiveness. When Rocke compromised an\r\norganization, it demanded that victims pay 0.2, 0.15, or 0.02 bitcoin (BTC) to restore lost data. However, Rocke\r\nwas unable to restore any data since Xbash deleted database tables prior to demanding the ransom. At the time of\r\nUnit 42’s reporting, Rocke’s BTC wallet contained 0.964 BTC (equivalent to US$10,130 today) from just 48\r\nunique transfers.\r\nRocke’s Cryptomining Operation\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 1 of 15\n\nLike Rocke’s Xbash malware, the group’s first cryptomining operations were written in Python and used Pastebin\r\nor GitHub as the code repository from which the first-stage payload was downloaded. As of March 12, 2019,\r\nRocke actors began to also use Golang. The first-stage payload directed the victim system to connect to a\r\nhardcoded Rocke domain or IP address, which would trigger the download of the second-stage payload.\r\nUnit 42 has observed a distinctive 12-step operation style, which appears to have remained consistent since Rocke\r\nwas first reported:\r\nActor uploads first payload to a third-party site (e.g., Pastebin, GitHub)\r\nEntices victim to navigate to Pastebin/GitHub (e.g., spear phishing)\r\nExploits known vulnerability (e.g., Oracle WebLogic, Adobe ColdFusion, Apache Struts)\r\nVictim downloads backdoor (e.g., Shell Scripts, JavaScript Backdoor)\r\nVictim runs the first payload via Python or Golang script and connects to C2 server\r\nDownloads and executes second payload script, gaining administrative access to the system\r\nEstablishes persistence via cron job commands\r\nSearchers for and kills previously installed cryptomining processes\r\nAdds “IPtables” rules to block future cryptomining processes\r\nUninstalls agent-based cloud security tools (e.g., Tencent Cloud, Alibaba Cloud)\r\nDownloads and installs Monero mining software\r\nRootkits XMRig mining processes from Linux “ps” using “libprocesshider”\r\nRocke Infrastructure\r\nAs of the time of this writing, eight domains have been tied to Rocke C2 operations through hardcoded IP\r\naddresses, URL addresses, or domain registration connections (e.g., WHOIS registrant email address). The\r\nfollowing chart lays out how the domains fit into the Rocke group infrastructure (see Table 1).\r\nDomain Rocke Connection Connection Value Resolved IP(s)\r\nsowcar[.]com Hardcode IOC 4592248@gmail[.]com 23.234.4[.]151\r\n23.234.4[.]153\r\n27.221.28[.]231\r\n27.221.54[.]252\r\n36.103.236[.]221\r\n36.103.247[.]121\r\n36.248.26[.]205\r\n42.202.141[.]230\r\n42.236.125[.]84\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 2 of 15\n\n42.56.76[.]104\r\n43.242.166[.]88\r\n59.83.204[.]14\r\n60.167.222[.]122\r\n61.140.13[.]251\r\n104.31.68[.]79\r\n104.31.69[.]79\r\n113.142.51[.]219\r\n113.200.16[.]234\r\n116.211.184[.]212\r\n118.213.118[.]94\r\n118.25.145[.]24\r\n122.246.6[.]183\r\n125.74.45[.]101\r\n150.138.184[.]119\r\n182.118.11[.]126\r\n182.118.11[.]193\r\n182.247.250[.]251\r\n182.247.254[.]83\r\n183.224.33[.]79\r\n211.91.160[.]159\r\n211.91.160[.]238\r\n218.75.176[.]126\r\n219.147.231[.]79\r\n221.204.60[.]69\r\nthyrsi[.]com WHOIS Registration 4592248@gmail[.]com 23.234.4[.]151\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 3 of 15\n\n23.234.4[.]153\r\n103.52.216[.]35\r\n104.27.138[.]223\r\n104.27.139[.]223\r\n205.185.122[.]229\r\n209.141.41[.]204\r\nw2wz[.]cn WHOIS Registration 4592248@gmail[.]com 36.103.236[.]221\r\n36.103.247[.]121\r\n42.202.141[.]230\r\n58.215.145[.]137\r\n58.216.107[.]77\r\n58.218.208[.]13\r\n60.167.222[.]122\r\n61.140.13[.]251\r\n113.142.51[.]219\r\n113.96.98[.]113\r\n116.211.184[.]212\r\n118.213.118[.]94\r\n118.25.145[.]241\r\n121.207.229[.]203\r\n122.246.20[.]201\r\n125.74.45[.]101\r\n140.249.61[.]134\r\n150.138.184[.]119\r\n182.118.11[.]193\r\n182.247.250[.]251\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 4 of 15\n\n218.75.176[.]126\r\n219.147.231[.]79\r\n222.186.49[.]224\r\nbaocangwh[.]cn WHOIS Registration 4592248@qq[.]com\r\n103.52.216[.]35\r\n104.18.38[.]253\r\n104.18.39[.]253\r\n104.31.92[.]26\r\n104.31.93[.]26\r\n119.28.48[.]240\r\n205.185.122[.]229\r\nz9ls[.]com WHOIS Registration 4592248@qq[.]com\r\n103.52.216[.]35\r\n104.27.134[.]168\r\n104.27.135[.]168\r\n104.31.80[.]164\r\n104.31.81[.]164\r\n172.64.104[.]10\r\n172.64.105[.]10\r\n205.185.122[.]229\r\ngwjyhs[.]com Hardcoded Domain gwjyhs[.]com\r\n103.52.216[.]35\r\n104.27.138[.]191\r\n104.27.139[.]191\r\n205.185.122[.]229\r\nheheda[.]tk Hardcode IP or Domain 104.238.151.101\r\nc.heheda[.]tk\r\nd.heheda[.]tk\r\n104.18.58[.]79\r\n104.18.59[.]79\r\n104.238.151[.]101\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 5 of 15\n\ndd.heheda[.]tk 195.20.40[.]95\r\n198.204.231[.]250\r\ncloudappconfig[.]com Hardcode IP or Domain\r\n104.238.151.101\r\nc.cloudappconfig[.]com\r\nimg0.cloudappconfig[.]com\r\nImg1.cloudappconfig[.]com\r\nimg2.cloudappconfig[.]com\r\n43.224.225[.]220\r\n67.21.64[.]34\r\n104.238.151[.]101\r\n198.204.231[.]250\r\nsystemten[.]org Hardcoded Domain systemten[.]org\r\n104.248.53[.]213\r\n104.31.92[.]233\r\n104.31.93[.]233\r\n134.209.104[.]20\r\n165.22.156[.]147\r\n185.193.125[.]146\r\nTable 1. Known Rocke domains\r\nRocke New Attack Vector\r\nThe TTPs listed in the previous section do not take into account a potential third stage to Rocke operations. Prior\r\nto the report An Analysis of Godlua Backdoor, Rocke malware appeared to perform a single operational function\r\nupon compromised cloud systems. The Godlua report cited malware samples that contained similar TTPs to those\r\nof Rocke. Upon further research, Unit 42 identified that not only do the TTPs match, but there are hardcoded\r\ndomains, URLs, and an IP address that overlap with previously reported Rocke malware hardcoded values. This\r\nconnection was made possible through the findings of an incident investigation posting on the r/LinuxMalware\r\nsubreddit and the upload of the findings, including malware sample metadata, to GitHub. The author of the Reddit\r\npost operates the nonprofit organization MalwareMustDie, a white hat organization devoted to the reduction of\r\ninternet malware. Unit 42 researchers analyzed four of the binaries listed in the Reddit thread and confirmed the\r\nhardcoded Rocke domain systemten[.]org contained within the samples, which was stated in the Reddit thread.\r\nThe samples also contained hardcoded links to the Pastebin URLs that overlap with known Rocke reporting:\r\nhxxps://pastebin[.]com/raw/HWBVXK6H\r\nhxxps://pastebin[.]com/raw/60T3uCcb\r\nhxxps://pastebin[.]com/raw/rPB8eDpu\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 6 of 15\n\nhxxps://pastebin[.]com/raw/wR3ETdbi\r\nhxxps://pastebin[.]com/raw/Va86JYqw\r\nhxxps://pastebin[.]com/raw/Va86JYqw\r\nAs seen within the Godlua blog, the IP address 104.238.151[.]101 and the URLs d.heheda[.]tk, c.heheda[.]tk, and\r\ndd.heheda[.]tk were found to be hardcoded within the report’s findings. The incident response thread posted to\r\nReddit pertaining to the Rocke group also found that C2 connections were being sent to the three heheda[.]tk\r\ndomains, which resolved to the IP address 104.238.151[.]101, also cited in the Godlua report. Additionally, the\r\nsamples contained hardcoded values for the known Rocke domains of sowcar[.]com, z9ls[.]com, baocangwh[.]cn,\r\ngwjyhs[.]com, and w2wz[.]cn. See Figure 1 for how the identified indicators of compromise (IoCs) connect\r\nknown Rocke domains with the IoCs pulled from the Godlua and Reddit thread IoC reporting.\r\nFigure 1. Rocke domain connections to Godlua and Reddit thread reporting\r\nWhat makes the Godlua samples intriguing is the evidence that Rocke has added DoS operations to the group’s\r\ntoolkit. The report delivers evidence that Rocke has added a third-stage malware component that performs a third\r\nC2 request to either c.heheda[.]tk or c.cloudappconfig[.]com and thereby downloads a LUA script called Godlua.\r\nThe malware appears to provide a modular functionality to Rocke’s operational playbook. In addition to the DoS\r\nfeature, the malware introduces the following new features:\r\nHANDSHAKE\r\nHEARTBEAT\r\nLUA\r\nSHELL\r\nUPGRADE\r\nQUIT\r\nSHELL2\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 7 of 15\n\nPROXY\r\nThe Godlua report also provided evidence that Rocke has added LUA switch functionality. The report states actors\r\nperformed a DoS attack against the domain www.liuxiaobei[.]com. At the time of this writing, this domain does\r\nnot resolve to any known system. It is currently unknown what functionality the other features of the Stage 3\r\nmalware accomplish. However, with options like “Shell,” “Shell2,” “Upgrade,” and “Proxy,” it is possible this\r\nmalware is the beginning of a modular system agent that allows Rocke actors additional flexibility to perform\r\ncyber operations outside of cryptomining or data destruction.\r\nFinding Rocke in the NetFlow\r\nAs of the time of this writing, Unit 42 researchers found 28.1% of cloud environments surveyed had at least one\r\nactive communication session with known Rocke C2 domains. These connections occurred almost daily in some\r\norganizations from at least December 2018 until the time of this writing. Identification was made possible via the\r\ncapture of NetFlow communications at the organization/cloud edge.\r\nUnit 42 researchers discovered Rocke communications by analyzing Rocke’s TTP patterns, resolving the known\r\nRocke domains to IP addresses used during the specified timeframe, and querying network traffic against these\r\nresolved IP address as well as the hardcoded IP address linked to Rocke, 104.238.151[.]101.\r\nHardcoded IP addresses provide strong connections to known malicious network traffic originating from an\r\norganization’s network. At the time of this writing, 104.238.151[.]101 is known to have resolved to the following\r\nURLs since January 1, 2019:\r\nc.cloudappconfig[.]com\r\nd.cloudappconfig[.]com\r\nf.cloudappconfig[.]com\r\nimg0.cloudappconfig[.]com\r\nimg2.cloudappconfig[.]com\r\nv.cloudappconfig[.]com\r\nc.heheda[.]tk\r\nd.heheda[.]tk\r\ndd.heheda[.]tk\r\nThese URLs are consistent with those reported in both the Godlua and Reddit reporting, signifying that any\r\nconnection to this IP address should be considered malicious. Unit 42 researchers identified 411 unique\r\nconnections from four monitored organizations that made eight or more fully established network connections to\r\nthe IP address 104.238.151[.]101. These connections only persisted with each organization for a short period of\r\ntime. The longest delta between first-seen connection and last-seen connection was five days for Organization 1.\r\nThe shortest delta resulting in a single connection was one hour for Organization 4 (see Table 2).\r\nOrganization Destination IP Total Connections Earliest Time Latest Time\r\n1 104.238.151[.]101 76 4/12/19 3:00 AM 4/17/19 8:00 AM\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 8 of 15\n\n2 104.238.151[.]101 160 4/13/19 7:00 AM 4/15/19 3:00 PM\r\n3 104.238.151[.]101 167 4/13/19 7:00 AM 4/16/19 10:00 AM\r\n4 104.238.151[.]101 8 5/10/19 9:00 PM 5/10/19 9:00 PM\r\nTable 2. Organization connections to hardcoded IP 104.238.151[.]101\r\nExtrapolating from 104.238.151[.]101, these four organizations also connected to other known Rocke domains.\r\nOrganization 1 connected to three Rocke domains between April 12 and May 31, 2019, with 290 unique\r\nconnections. Organization 4 connected to seven domains between March 20 and May 15, 2019, with 8,231 unique\r\nconnections. As is evident in Table 3, the four organizations connect to one or more of the seven known Rocke\r\ndomains during the same timeframe as the organization’s connections to the hardcoded IP address\r\n104.238.151[.]101. This strongly favors the connection between the domains heheda[.]tk and\r\ncloudappcloudconfig[.]com as Rocke domains and the usage of Rocke’s third-stage malware being available\r\nduring this same time period.\r\nOrganization Destination Domain Destination IP\r\nTotal\r\nConnections\r\nEarliest\r\nTime\r\nLatest\r\nTime\r\n1\r\nHeheda[.]tk |\r\ncloudappconfig[.]com\r\n104.238.151[.]101 76\r\n4/12/19\r\n3:00 AM\r\n4/17/19\r\n8:00 AM\r\nsowcar[.]com 125.74.45[.]101 4\r\n4/12/19\r\n2:00 PM\r\n4/12/19\r\n2:00 PM\r\n27.221.54[.]252 2\r\n4/13/19\r\n4:00 AM\r\n4/13/19\r\n4:00 AM\r\nsystemten[.]org 104.248.53[.]213 202\r\n4/10/19\r\n12:00 PM\r\n5/31/19\r\n6:00 PM\r\nw2wz[.]cn 113.96.98[.]113 2\r\n4/12/19\r\n2:00 PM\r\n4/12/19\r\n2:00 PM\r\n125.74.45[.]101 4\r\n4/12/19\r\n2:00 PM\r\n4/12/19\r\n2:00 PM\r\n1 Total 290\r\n2 baocanwh[.]cn 104.31.92[.]26 8\r\n4/25/19\r\n3:00 AM\r\n4/25/19\r\n3:00 AM\r\nheheda[.]tk 104.18.58[.]79 26\r\n4/14/19\r\n6:00 AM\r\n4/15/19\r\n3:00 PM\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 9 of 15\n\nheheda[.]tk 104.18.59[.]79 22\r\n4/14/19\r\n6:00 AM\r\n4/15/19\r\n2:00 PM\r\nHeheda[.]tk |\r\ncloudappconfig[.]com\r\n104.238.151[.]101 160\r\n4/13/19\r\n7:00 AM\r\n4/15/19\r\n2:00 PM\r\nsowcar[.]com 104.31.68[.]79 77\r\n3/20/19\r\n11:00 PM\r\n4/3/19\r\n4:00 AM\r\n104.31.69[.]79 70\r\n3/20/19\r\n7:00 AM\r\n4/10/19\r\n9:00 AM\r\n125.74.45[.]101 6\r\n4/12/19\r\n1:00 PM\r\n4/12/19\r\n2:00 PM\r\n27.221.54[.]252 6\r\n4/13/19\r\n4:00 AM\r\n4/13/19\r\n4:00 AM\r\nsystemten[.]org 104.248.53[.]213 92\r\n4/11/19\r\n5:00 PM\r\n4/15/19\r\n3:00 PM\r\nw2wz[.]cn 113.96.98[.]113 9\r\n4/12/19\r\n2:00 PM\r\n4/12/19\r\n6:00 PM\r\n122.246.20[.]201 8\r\n4/22/19\r\n7:00 AM\r\n4/22/19\r\n8:00 AM\r\n125.74.45[.]101 6\r\n4/12/19\r\n1:00 PM\r\n4/12/19\r\n2:00 PM\r\nz9ls[.]com 104.31.80[.]164 2\r\n4/14/19\r\n11:00 AM\r\n4/14/19\r\n11:00 AM\r\n104.31.81[.]164 4\r\n4/15/19\r\n3:00 AM\r\n4/15/19\r\n1:00 PM\r\n2 Total 496\r\n3 heheda[.]tk 104.18.58[.]79 14\r\n4/14/19\r\n11:00 AM\r\n4/16/19\r\n10:00 AM\r\nheheda[.]tk 104.18.59[.]79 14\r\n4/14/19\r\n11:00 AM\r\n4/16/19\r\n10:00 AM\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 10 of 15\n\nHeheda[.]tk |\r\ncloudappconfig[.]com\r\n104.238.151[.]101 167\r\n4/13/19\r\n7:00 AM\r\n4/16/19\r\n10:00 AM\r\nsowcar[.]com 104.31.68[.]79 2\r\n4/10/19\r\n9:00 AM\r\n4/10/19\r\n9:00 AM\r\nsystemten[.]org 104.248.53[.]213 214\r\n4/10/19\r\n9:00 AM\r\n4/19/19\r\n9:00 AM\r\nz9ls[.]com 104.31.80[.]164 106\r\n4/14/19\r\n9:00 AM\r\n4/18/19\r\n3:00 AM\r\n104.31.81[.]164 108\r\n4/14/19\r\n9:00 AM\r\n4/18/19\r\n3:00 AM\r\n3 Total 625\r\n4 baocanwh[.]cn 104.18.38[.]253 136\r\n4/26/19\r\n9:00 PM\r\n4/27/19\r\n3:00 PM\r\n104.18.39[.]253 152\r\n4/26/19\r\n10:00 PM\r\n4/28/19\r\n3:00 AM\r\n104.31.92[.]26 184\r\n4/22/19\r\n9:00 AM\r\n4/26/19\r\n6:00 PM\r\n104.31.93[.]26 170\r\n4/22/19\r\n9:00 AM\r\n4/26/19\r\n6:00 PM\r\n119.28.48[.]240 176\r\n4/27/19\r\n1:00 PM\r\n4/28/19\r\n10:00 AM\r\ngwjyhs[.]com 104.27.138[.]191 256\r\n4/28/19\r\n11:00 AM\r\n5/9/19\r\n10:00 AM\r\n104.27.139[.]191 256\r\n4/28/19\r\n10:00 AM\r\n5/12/19\r\n5:00 PM\r\nHeheda[.]tk |\r\ncloudappconfig[.]com\r\n104.238.151[.]101 8\r\n5/10/19\r\n9:00 PM\r\n5/10/19\r\n9:00 PM\r\nsowcar[.]com 104.31.68[.]79 437\r\n3/20/19\r\n7:00 AM\r\n4/10/19\r\n2:00 AM\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 11 of 15\n\n104.31.69[.]79 441\r\n3/20/19\r\n2:00 PM\r\n4/10/19\r\n2:00 AM\r\n27.221.54[.]252 8\r\n4/13/19\r\n4:00 AM\r\n4/13/19\r\n4:00 AM\r\nsystemten[.]org 104.31.93[.]233 4\r\n4/5/19\r\n2:00 AM\r\n4/5/19\r\n3:00 AM\r\n104.31.92[.]233 4\r\n4/5/19\r\n2:00 AM\r\n4/5/19\r\n3:00 AM\r\n104.248.53[.]213 4761\r\n4/3/19\r\n4:00 AM\r\n5/15/19\r\n1:00 AM\r\nthyrsi[.]com 103.52.216[.]35 178\r\n4/27/19\r\n8:00 AM\r\n5/10/19\r\n1:00 PM\r\nw2wz[.]cn 118.25.145[.]241 12\r\n4/13/19\r\n5:00 AM\r\n4/13/19\r\n9:00 AM\r\nz9ls[.]com 104.31.80[.]164 522\r\n4/13/19\r\n9:00 AM\r\n4/21/19\r\n2:00 PM\r\n104.31.81[.]164 526\r\n4/13/19\r\n6:00 AM\r\n4/21/19\r\n2:00 PM\r\n4 Total 8231\r\nGrand Total 9642\r\nTable 3. Comparison of all Rocke domain connections with IP 104.238.151[.]101\r\nUnit 42 researchers extrapolated the investigation another level and identified all visible connections from all\r\nmonitored organizations to all known Rocke domains. The researchers found that 28.1% of cloud environments\r\ncontained at least one fully established network connection with a known Rocke domain. The earliest witnessed\r\nconnection took place on December 4, 2018, and continued through at least June 10, 2019, with 146 unique\r\nconnections to the domains sowcar[.]com and w2wz[.]cn during that time frame.\r\nRocke’s Network Traffic Pattern\r\nFinally, Unit 42 researchers attempted to identify if the initial payload downloaded from Pastebin could be\r\nidentified with the NetFlow data. Researchers found that a total of 50 organizations made network connections to\r\nPastebin. Of these 50 organizations, eight were found to have made network connections to Pastebin within the\r\nsame hour as connections to Rocke domains. Since NetFlow traffic only allows for a granularity capability of one\r\nhour, and given the lack of full packet capture to confirm the nature of the network connection, it is impossible to\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 12 of 15\n\npositively identify precisely what time an organization was compromised. However, these occurrences point to\r\nkey timeframes where full packet captures, if available, should be investigated further.\r\nA distinct pattern emerges when viewing how Rocke network traffic appears within NetFlow data (see Figure 2).\r\nFirst, a connection is established with Pastebin, followed by a connection to a Rocke domain. As you can see from\r\nthe image, the pattern repeats on an hourly basis, which is another indicator of beaconing capabilities and of the\r\npresence of the Stage 3 Rocke payload, which is already installed on the cloud system. Additionally, Figure 2\r\ndisplays the unique occurrence of the source system connecting to Pastebin, then connecting to the known Rocke\r\ndomains, z9ls[.]com, and systemten[.]org, connecting to the hardcoded IP address 104.238.151[.]101 in the same\r\ntime frame. This pattern is indicative of a beaconing, or a heartbeat style of activity, which is a capability within\r\nthe third-stage malware’s feature set.\r\nFigure 2. Unique Rocke NetFlow pattern\r\nMitigation Strategies\r\nTo mitigate Rocke activities within a cloud environment, the following actions are recommended:\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 13 of 15\n\nUpdate all cloud system templates with the latest patches and version updates.\r\nCycle all cloud systems to use the latest patched and updated cloud template.\r\nPurchase and configure a cloud monitoring product that includes checks on compliance, network traffic,\r\nand user behavior.\r\nReview cloud network configurations, security policies, and groups to ensure they meet current compliance\r\nrequirements.\r\nUse a cloud container vulnerability scanner.\r\nUpdate all threat intelligence feeds providing domain or IP denylisting indicators.\r\nPurchase or subscribe to Palo Alto Networks MineMeld threat feed, or use Palo Alto Networks Next-Generation Firewalls, as these options are configured to block known Rocke domains and IP connections.\r\nInvestigate cloud network traffic for connections to known malicious domains or IPs.\r\nInvestigate cloud network traffic for beacon-style egress traffic in your organization’s cloud environment.\r\nConclusion\r\nRocke, which primarily targets public cloud infrastructure for criminal gain, continues to evolve its tools and take\r\nadvantage of poorly configured cloud infrastructures using vulnerabilities released in 2016 and 2017. The group\r\ncan gain administrative access to cloud systems using malware that is able to remain hidden from basic\r\ninvestigations. Compromised systems then perform predictable and detectable network actions to known Rocke\r\nhardcoded IP addresses or Rocke-owned domains.\r\nPalo Alto Networks customers are protected as follows:\r\nThe C2 domains listed in this blog are identified as malicious by our PAN-DB URL Filtering.\r\nAll illegitimate tools uploaded to the webshells are identified as malicious by WildFire and Traps.\r\nELF and PE format malware signatures have been released via antivirus.\r\nAll C2 domains have been covered by PAN-DB URL Filtering.\r\nAutoFocus customers can investigate this activity with the following tags:\r\nIronCybercrimeGroup\r\nXbash\r\nKerberods\r\nGodlua\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nDomains\r\nsowcar[.]com\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 14 of 15\n\nthyrsi[.]com\r\nw2wz[.]cn\r\nbaocangwh[.]cn\r\nz9ls[.]com\r\ngwjyhs[.]com\r\nheheda[.]tk\r\ncloudappconfig[.]com\r\nsystemten[.]org\r\nIPs\r\n43.224.225[.]220\r\n67.21.64[.]34\r\n103.52.216[.]35\r\n104.248.53[.]213\r\n104.238.151[.]101\r\n198.204.231[.]250\r\n205.185.122[.]229\r\nHashes\r\n1608899ff3bd9983df375fd836464500f160f6305fcc35cfb64abbe94643c962\r\n28f92f36883b69e281882f19fec1d89190e913a4e301bfc5d80242b74fcba6fe\r\na84283095e0c400c3c4fe61283eca6c13dd0a6157a57adf95ae1dcec491ec519\r\n6797018a6f29ce3d447bd3503372f78f9513d4648e5cd3ab5ab194a50c72b9c4\r\nSource: https://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nhttps://unit42.paloaltonetworks.com/rockein-the-netflow/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/rockein-the-netflow/"
	],
	"report_names": [
		"rockein-the-netflow"
	],
	"threat_actors": [
		{
			"id": "7c053836-8f50-4d40-bc5c-7088967e1b57",
			"created_at": "2022-10-25T16:07:24.549525Z",
			"updated_at": "2026-04-10T02:00:05.03048Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra",
				"G0106",
				"Iron Group",
				"Rocke"
			],
			"source_name": "ETDA:Rocke",
			"tools": [
				"Godlua",
				"Kerberods",
				"LSD",
				"Pro-Ocean",
				"Xbash"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5b9d2809-47b7-46a8-ab2d-9687537f1bc7",
			"created_at": "2023-01-06T13:46:38.804869Z",
			"updated_at": "2026-04-10T02:00:03.107112Z",
			"deleted_at": null,
			"main_name": "Iron Group",
			"aliases": [
				"Iron Cyber Group"
			],
			"source_name": "MISPGALAXY:Iron Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "905eabd9-2b7f-483d-86bd-0c72f96b4162",
			"created_at": "2023-01-06T13:46:39.02749Z",
			"updated_at": "2026-04-10T02:00:03.185957Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra"
			],
			"source_name": "MISPGALAXY:Rocke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f",
			"created_at": "2022-10-25T15:50:23.360509Z",
			"updated_at": "2026-04-10T02:00:05.337702Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Rocke"
			],
			"source_name": "MITRE:Rocke",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434091,
	"ts_updated_at": 1775791965,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/56180159314949b2e90170af26a62b33bc972ea9.pdf",
		"text": "https://archive.orkl.eu/56180159314949b2e90170af26a62b33bc972ea9.txt",
		"img": "https://archive.orkl.eu/56180159314949b2e90170af26a62b33bc972ea9.jpg"
	}
}