Shulou(Shulou.com)05/31 Report--

What this article shares with you is an example analysis of Rocke hacker organization activities. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Overview of Rocke Organization

The Rocke event was first reported in August 2018. Rocke initially focused on Linux's Xbash tool, which is data corruption malware. Xbash attacks by exploiting the target's unpatched vulnerabilities and then scales out with weak passwords. When Rocke attacks an organization, it requires the victim to pay 0.2 yuan 0.15 or 0.02 bitcoin (BTC) to recover the lost data. However, because Xbash deleted the database tables before the ransom, Rocke could not recover any data. Rocke's BTC wallet contains 48 transfers, including 0.964 BTC.

Rocke attack flow

The organization's first encryption step was written in Python and used Pastebin and GitHub as the platform for downloading the first phase of effective payload. As of March 12, 2019, Rocke also began to use Golang. The first stage payload guides the victim to connect to the Rocke domain or IP address, triggering the second phase payload download.

The organization has a 12-step operation, and the style has been consistent since it was first reported by Rocke:

1. The attacker uploads the first payload to a third-party site (for example, Pastebin,GitHub)

2. Lure the victim to navigate to Pastebin / GitHub (for example, spear phishing)

3. Exploit known vulnerabilities (for example, Oracle WebLogic,Adobe ColdFusion,Apache Struts)

4. The victim downloads the back door (for example, Shell Scripts,JavaScript Backdoor)

5. The victim runs the first payload through a Python or Golang script and connects to the C2 server

6. Download and execute the second payload to gain administrative access to the system

7. Establish persistent control through cron job commands

8. Search and kill previously installed encryption processes

9. Add a "IPtables" rule to prevent future encryption processes

10. Uninstall agent-based cloud security tools (for example, Tencent Cloud, Aliyun)

Download and install Monero mining software

12. Hide the process

Rocke Infrastructure

Rocke connects with the victim by hard-coding IP address, URL address and domain name registration, and connects 8 domains with Rocke C2 operation. The following figure lists the domain and Rocke infrastructure (see Table 1).

New Rocke attack

Before analyzing Godlua, studies have shown that Rocke malware performs a single operation function on a compromised cloud system. But Godlua's report refers to malware samples that contain TTP similar to Rocke. After further research, it is determined that not only the TTP match, but also the hard-coded domain, and the URL and IP addresses are the same as the previously reported Rocke malware hard-coded values. The researchers analyzed four binaries in Reddit, a white hat organization dedicated to reducing network malware, and confirmed the hard-coded Rocke domain systemten contained in the sample [.] Org . The sample also contains a hard-coded link to the Pastebin URL of a known Rocke report:

Hxxps://pastebin [.] com/raw/HWBVXK6H

Hxxps://pastebin [.] com/raw/60T3uCcb

Hxxps://pastebin [.] com/raw/rPB8eDpu

Hxxps://pastebin [.] com/raw/wR3ETdbi

Hxxps://pastebin [.] com/raw/Va86JYqw

Hxxps://pastebin [.] com/raw/Va86JYqw

As can be seen in the Godlua analysis report, the IP addresses 104.238.151. 101 and URL d.heda.tk are hard-coded. C 2 connections were also found to be sent to three heheda. 2 in malware related to the Rocke organization posted to Reddit. Tk domains, which have been resolved to the IP address 104.238.151.101. In addition, the sample contains the known Rocke domain sowcar [.] com, z9ls [.] com, baocangwh [.] cn, gwjyhs [.] com, and w2wz [.] cn. Gets or sets the hard-coded value of See figure 1 for information on how to extract the known Rocke fields from Godlua and Reddit IoC reports.

The report provides evidence that Rocke has added a phase III malware component to c.heheda.tk or c.cloudappconfig. Com executes the third C2 request to download the LUA script named Godlua. The malware provides modular functionality for the operation of Rocke. In addition to the DoS feature, malware introduces the following new features:

HANDSHAKE

HEARTBEAT

LUA

SHELL

UPGRADE

QUIT

SHELL2

PROXY

The Godlua report also provides Rocke with added LUA handoff capabilities. The report indicates that the attacker carried out a DoS attack on the domain name www.liuxiaobei.com. This domain name cannot be resolved to any known system, and it is not clear what other functions the phase III malware has achieved. However, with options such as "Shell", "Shell2", "upgrade" and "Agent", malware may be the beginning of a modular system agent that allows Rocke to use newly added functional modules to encrypt and destroy data more flexibly.

Discoveries in NetFlow

By capturing NetFlow communications in the cloud, the researchers found that 28.1% of the surveyed cloud environments had at least one active communication session with a known Rocke C2 domain. Some of them have been in daily contact since December 2018.

By analyzing the TTP mode of Rocke, the known Rocke domain is parsed into IP addresses within a specified time range, and the network traffic is queried according to these IP addresses and the hard-coded IP addresses linked to Rocke, from which Rocke communication is found.

Hard-coded IP addresses provide a clear connection to the victim. As of this writing, it is known that as of January 1, 2019, 104.238.151.101 has been resolved to the following URL:

C.cloudappconfig [.] com

D.cloudappconfig [.] com

F.cloudappconfig [.] com

Img0.cloudappconfig [.] com

Img2.cloudappconfig [.] com

V.cloudappconfig [.] com

C.heheda [.] tk

D.heheda [.] tk

Dd.heheda [.] tk

These URL are consistent with the URL in the Godlua and Reddit reports, and any connection to this IP address should be considered malicious. The researchers identified 411 connections from four monitored organizations that established eight or more network connections to the IP address 104.238.151.101. In Organization 1, the longest time between the first seen connection and the last seen connection is five days, and the shortest time for a single connection is one hour of Organization 4 (see Table 2).

Inferred from 104.238.151.101, these four organizations are also associated with other known Rocke domains. Organization 1 was connected to three Rocke domains from April 12 to May 31, 2019, with 290 connections. Organization 4 connects to seven domains with 8231 connections between March 20 and May 15, 2019. As shown in Table 3, four organizations are connected to one or more of the seven known Rocke domains during the period of connection to Rockede's hard-coded IP address 104.238.151.101.

Rocke communication mode

The researchers are trying to determine whether the initial payload downloaded from Pastebin can be identified using NetFlow data. The researchers found that a total of 50 organizations had network connections to Pastebin. Of the 50 organizations, 8 established a network connection with Pastebin within the same hour of connection to the Rocke domain. Because the minimum granularity of NetFlow traffic is one hour, and there is a lack of complete packets to confirm the nature of the network connection, it is impossible to accurately determine the time when the organization was destroyed by the attack.

When looking at Rocke network traffic in NetFlow data, a very different pattern appears (see figure 2). First, use Pastebin to establish a connection, and then connect to the Rocke domain. As you can see from the image, the mode is repeated every hour. In addition, figure 2 shows a connection to Pastebin, then to the known Rocke domain, z9ls.com and systemten.org, to the hard-coded IP address 104.238.151.101 at the same time. This mode is a feature of Phase III malware activity and represents a beacon or heartbeat-style activity.

Solution

To resolve Rocke intrusion in a cloud environment, it is recommended that you do the following:

1. Update all cloud system templates with the latest patches and versions.

2. Configure all cloud systems cyclically with the latest patched and updated cloud templates.

3. Purchase and configure cloud monitoring products, including checking for compliance, network traffic and user behavior.

4. Review the cloud network configuration, security policies, and groups to ensure that they meet current compliance requirements.

5. Use the cloud container vulnerability scanner.

6. Update all threat sources.

7. Investigate cloud network traffic connected to a known malicious domain or IP.

8. Investigate the cloud network traffic of egress traffic in the organization's cloud environment.

The Rocke organization continues to develop its tools and exploits vulnerabilities released in 2016 and 2017 to attack misconfigured cloud infrastructure. The organization uses hidden malware to gain administrative access to cloud systems. Malware can be protected according to its traffic pattern and hard-coded ip and url.

The above is the example analysis of Rocke hacker organization activities, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.