{
	"id": "e0b13529-f6be-4385-a65c-ef3ad0f46fc5",
	"created_at": "2026-04-06T00:14:42.853372Z",
	"updated_at": "2026-04-10T03:32:46.244465Z",
	"deleted_at": null,
	"sha1_hash": "f7cac6233d494a238366b323fc702dbb15cfe334",
	"title": "Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1247585,
	"plain_text": "Malware Used by Rocke Group Evolves to Evade Detection by Cloud\r\nSecurity Products\r\nBy Xingyu Jin, Claud Xiao\r\nPublished: 2019-01-17 · Archived: 2026-04-05 13:11:44 UTC\r\nPalo Alto Networks Unit 42 recently captured and investigated new samples of the Linux coin mining malware used by the\r\nRocke group. The family was suspected to be developed by the Iron cybercrime group and it’s also associated with the\r\nXbash malware we reported on in September of 2018. The threat actor Rocke was originally revealed by Talos in August of\r\n2018 and many remarkable behaviors were disclosed in their blog post. The samples described in this report were collected\r\nin October of 2018, and since that time the command and control servers they use have been shut down.\r\nDuring our analysis, we realized that these samples used by the Rocke group adopted new code to uninstall five different\r\ncloud security protection and monitoring products from compromised Linux servers. In our analysis, these attacks did not\r\ncompromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused\r\nthat full administrative control to uninstall these products in the same way a legitimate administrator would.\r\nThese products were developed by Tencent Cloud and Alibaba Cloud (Aliyun), the two leading cloud providers in China that\r\nare expanding their business globally. To the best of our knowledge, this is the first malware family that developed the\r\nunique capability to target and remove cloud security products. This also highlights a new challenge for products in the\r\nCloud Workload Protection Platforms market defined by Gartner.\r\nTechnical Details\r\nThe Coin Miner used by Rocke Group\r\nThe threat actor Rocke was first reported by Cisco Talos in late July 2018. The ultimate goal of this threat is to mine Monero\r\ncryptocurrency in compromised Linux machines.\r\nTo deliver the malware to the victim machines, the Rocke group exploits vulnerabilities in Apache Struts 2, Oracle\r\nWebLogic, and Adobe ColdFusion. For example, by exploiting Oracle WebLogic vulnerability CVE-2017-10271 in Linux\r\nshown in Figure 1, a compromised Linux victim machine downloads backdoor 0720.bin and opens a shell.\r\nhttps://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/\r\nPage 1 of 7\n\nFigure 1. Exploit CVE-2017-10271\r\nOnce the C2 connection is established, malware used by the Rocke group downloads shell script named as “a7” to the victim\r\nmachine. The behaviors of a7 include:\r\nAchieve persistence through cronjobs\r\nKill other crypto mining processes\r\nAdd iptables rules to block other crypto mining malware\r\nUninstall agent-based cloud security products\r\nDownload and run UPX packed coin miner from blog[.]sydwzl[.]cn\r\nHide process from Linux ps command by using the open source tool “libprocesshider” with LD_PRELOAD trick\r\nAdjust malicious file date time\r\nCloud Workload Protection Platforms\r\nAccording to Gartner, Cloud Workload Protection Platforms (CWPPs) are the agent-based workload-centric security\r\nprotection solutions. To mitigate the impact of malware intrusion in public cloud infrastructure, cloud service providers\r\ndevelop their own CWPPs as the server security operation and management products.\r\nFor example, Tencent Cloud offers Tencent Host Security (HS, aka YunJing云镜) with various security protection services.\r\nAccording to its “Product Overview” document, Tencent Host Security provides key security features like trojan detection\r\nand removal based on machine learning, password cracking alert, logging activity audit, vulnerability management, and\r\nasset management as shown in Figure 2.\r\nhttps://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/\r\nPage 2 of 7\n\nFigure 2. Tencent Host Security Key Features\r\nAlibaba Cloud (Aliyun) also offers a cloud security product called Threat Detection Service (TDS, aka Aegis 安骑士).\r\nAlibaba Cloud Threat Detection Service provides security services like malware scanning and removal, vulnerability\r\nmanagement, log analysis, and threat analysis based on big data.\r\nThird-party cybersecurity companies also provide CWPPs. For instance, Trend Micro, Symantec, and Microsoft have their\r\nown cloud security products for public cloud infrastructure. As with all security products, adversaries inevitably work to\r\nevade these systems to be able to achieve their ultimate goals. \r\nEvading Detection from Cloud Workload Protection Platforms\r\nIn response to agent-based Cloud Workload Protection Platforms from cloud service providers, malware used by the Rocke\r\ngroup gradually developed the capability to evade detection before exhibiting any malicious behaviors. To be more specific,\r\nthe malware uninstalls cloud security products by Alibaba Cloud and Tencent Cloud.\r\nIn the early version of the malware used by Rocke, it only attempts to kill Tencent Cloud Monitor process as shown in\r\nFigure 3.\r\nhttps://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/\r\nPage 3 of 7\n\nFigure 3. Malware kills Tencent Cloud Monitor process\r\nRealizing that killing the cloud monitor service alone is not enough to evade detection by agent-based cloud security\r\nproducts, the malware authors continued developing more effective methods to evade detection by killing more agent-based\r\ncloud security services.\r\nThe Tencent Cloud and Alibaba Cloud official websites provide documents to guide users about how to uninstall their cloud\r\nsecurity products. The document for uninstalling Alibaba Threat Detection Service is shown in Figure 4.\r\nFigure 4. Official guide for uninstalling Alibaba Threat Detection Service\r\nThe document for uninstalling Tencent Cloud Host Security is shown in Figure 5.\r\nhttps://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/\r\nPage 4 of 7\n\nFigure 5. Official guide for uninstalling Tencent Cloud Host Security Product\r\nThe malware used by the Rocke group follows the uninstallation procedure provided by Alibaba Cloud and Tencent Cloud\r\nas well as some random blog posts on the Internet. The key uninstall function is shown in Figure 6.\r\nFigure 6. Key function for malware to evade detection\r\nhttps://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/\r\nPage 5 of 7\n\nThis function can uninstall:\r\n1. Alibaba Threat Detection Service agent.\r\n2. Alibaba CloudMonitor agent (Monitor CPU \u0026 memory consumption, network connectivity).\r\n3. Alibaba Cloud Assistant agent (tool for automatically managing instances).\r\n4. Tencent Host Security agent.\r\n5. Tencent Cloud Monitor agent.\r\nAfter agent-based cloud security and monitor products are uninstalled, the malware used by the Rocke group begins to\r\nexhibit malicious behaviors. We believe this unique evasion behavior will be the new trend for malware which targets public\r\ncloud infrastructure.\r\nMitigations\r\nPalo Alto Networks Unit 42 has been cooperating with Tencent Cloud and Alibaba Cloud to address the malware evasion\r\nproblem and its C2 infrastructure. Additionally, the malicious C2 domains are identified by our PAN-DB URL Filtering.\r\nConclusion\r\nPublic cloud infrastructure is one of the main targets for this cybercrime group. Realizing the existing cloud monitor and\r\nsecurity products may detect the possible malware intrusion, malware authors continue to create new evasion technologies\r\nto avoid being detected by cloud security product.\r\nThe variant of the malware used by the Rocke group is an example that demonstrates that the agent-based cloud security\r\nsolution may not be enough to prevent evasive malware targeted at public cloud infrastructure.\r\nIndicators of Compromise\r\nSamples with the evasion behavior\r\n2e3e8f980fde5757248e1c72ab8857eb2aea9ef4a37517261a1b013e3dc9e3c4\r\n2f603054dda69c2ac1e49c916ea4a4b1ae6961ec3c01d65f16929d445a564355\r\n28ea5d2e44538cd7fec11a28cce7c86fe208b2e8f53d57bf8a18957adb90c5ab\r\n232c771f38da79d5b8f7c6c57ddb4f7a8d6d44f8bca41be4407ed4923096c700\r\n893bdc6b7d2d7134b1ceb5445dbb97ad9c731a427490d59f6858a835525d8417\r\n9300f1aa56a73887d05672bfb9862bd786230142c949732c208e5e019d14f83a\r\n27611b92d31289d023d962d3eb7c6abd194dbdbbe4e6977c42d94883553841e8\r\nd341e3a9133e534ca35d5ccc54b8a79f93ff0c917790e7d5f73fedaa480a6b93\r\ned038e9ea922af9f0bf5e8be42b394650fa808982d5d555e6c50c715ff2cca0c\r\n4b74c4d66387c70658238ac5ab392e2fe5557f98fe09eadda9259ada0d87c0f1\r\ne391963f496ba056e9a9f750cbd28ca7a08ac4cfc434bee4fc57a292b11941e6\r\n017dee32e287f37a82cf6e249f8a85b5c9d4f090e5452118ccacaf147e88dc66\r\nDomains for C2 Communication\r\nhttps://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/\r\nPage 6 of 7\n\ndwn[.]rundll32[.]ml\r\nwww[.]aybc[.]so\r\na[.]ssvs[.]space\r\nsydwzl[.]cn\r\nIPs for C2 Communication\r\n118.24.150[.]172 (on Tencent Cloud)\r\n120.55.54[.]65 (on Alibaba Cloud)\r\nURLs for Code Update\r\nhxxps://pastebin[.]com/raw/CnPtQ2tM\r\nhxxps://pastebin[.]com/raw/rjPGgXQE\r\nhxxps://pastebin[.]com/raw/1NtRkBc3\r\nhxxps://pastebin[.]com/raw/tRxfvbYN\r\nhxxps://pastebin[.]com/raw/SSCy7mY7\r\nhxxps://pastebin[.]com/raw/VVt27LeH\r\nhxxps://pastebin[.]com/raw/Fj2YdETv\r\nhxxps://pastebin[.]com/raw/JNPewK6r\r\nhxxps://pastebin[.]com/raw/TzBeq3AM\r\nhxxps://pastebin[.]com/raw/eRkrSQfE\r\nhxxps://pastebin[.]com/raw/5bjpjvLP\r\nhxxps://pastebin[.]com/raw/Gw7mywhC\r\nXMR Wallet Address\r\n42im1KxfTw2Sxa716eKkQAcJpS6cwqkGaHHGnnUAcdDhG2NJhqEF1nNRwjkBsYDJQtDkLCTPehfDC4zjMy5hefT81Xk2h7V.\r\nSource: https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/\r\nhttps://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"MITRE",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/"
	],
	"report_names": [
		"malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products"
	],
	"threat_actors": [
		{
			"id": "7c053836-8f50-4d40-bc5c-7088967e1b57",
			"created_at": "2022-10-25T16:07:24.549525Z",
			"updated_at": "2026-04-10T02:00:05.03048Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra",
				"G0106",
				"Iron Group",
				"Rocke"
			],
			"source_name": "ETDA:Rocke",
			"tools": [
				"Godlua",
				"Kerberods",
				"LSD",
				"Pro-Ocean",
				"Xbash"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "905eabd9-2b7f-483d-86bd-0c72f96b4162",
			"created_at": "2023-01-06T13:46:39.02749Z",
			"updated_at": "2026-04-10T02:00:03.185957Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra"
			],
			"source_name": "MISPGALAXY:Rocke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f",
			"created_at": "2022-10-25T15:50:23.360509Z",
			"updated_at": "2026-04-10T02:00:05.337702Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Rocke"
			],
			"source_name": "MITRE:Rocke",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434482,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7cac6233d494a238366b323fc702dbb15cfe334.pdf",
		"text": "https://archive.orkl.eu/f7cac6233d494a238366b323fc702dbb15cfe334.txt",
		"img": "https://archive.orkl.eu/f7cac6233d494a238366b323fc702dbb15cfe334.jpg"
	}
}