A new Linux cryptocurrency mining malware used by the Rocke group can evade detection from cloud security protocols by disabling them.
Palo Alto’s Unit 42 researchers spotted what appears to be the first malware family that can target and remove cloud security products, according to a blog post.
“Public cloud infrastructure is one of the main targets for this cybercrime group,” the post said. “Realizing the existing cloud monitor and security products may detect the possible malware intrusion, malware authors continue to create new evasion technologies to avoid being detected by cloud security product.”
The malware doesn’t compromise the products, but instead first gains administrative control and then uninstalls the products in the same manner a legitimate administrator would. The malware specifically targets products developed by Tencent Cloud and Alibaba Cloud (Aliyun), the two leading cloud providers in China.
Earlier malware versions used by Rocke only attempted to kill the cloud monitoring process in the malware but threat actors looked for more ways to more effective methods to evade detection.
The threat actors didn’t have to look far after realizing most of the information for how to remove the security products was readily available.
Both Tencent Cloud and Alibaba Cloud official website provide information instructing users how to uninstall their security products which the malware appears to have used in conjunction with other blogs on the internet to disable the products.
The malware can uninstall five security products including: Alibaba Threat Detection Service agent, Alibaba CloudMonitor agent (Monitor CPU & memory consumption, network connectivity), Alibaba Cloud Assistant agent (tool for automatically managing instances), Tencent Host Security agent, and Tencent Cloud Monitor agent.
Once infected, the malware establishes a C2 connection and then downloads the shell script to achieve persistence through cronjobs, kill other cryptomining processes, add iptables rules to block other cryptomining malware, download and run UPX packed coin miner, hide processes from Linux ps command and adjust the malicious file date.
Researchers suspect the malware was developed by the Iron cybergang and is also associated with the Xbash malware. Unit 42 researchers are also working with Tencent Cloud and Alibaba Cloud to address the malware evasion problem and its C2 infrastructure.