Unit 42 (the Palo Alto Networks threat intelligence team) has released a new report on the Rocke group using new Linux coin mining malware to uninstall five different Tencent and Alibaba cloud security products from compromised Linux servers to cryptojack. To the best of Unit 42’s knowledge, this is the first malware family that has developed the unique capability to target and remove cloud security products.
These new samples of Linux coin mining malware, which Unit 42 captured and investigated, were associated with the previously reported Xbash malware used to mine Monero <https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/> .
Key findings include:
- Rocke group conducting cryptojacking attacks: The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines.
- These attacks did not compromise the Tencent and Alibaba security products: Rather, the attackers first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.
- New trend of evasion: Unit 42 believes this unique evasion behaviour will be a new trend for malware that targets public cloud infrastructure and wants to avoid being detected by cloud security products.
