Rocke is a China-based cybercrime group and according to research from Unit 42, the global threat intelligence team at Palo Alto Networks, more than 28% of cloud environments may be compromised by it.
After spending six months researching the cybercrime group, Unit 42 has released high-level results from its investigation. It concluded that Rocke, which is the best-known threat actor engage in crypto mining operations targeting the cloud, is able to conduct operations with little interference and limited detection risk.
Unit 42 analyzed NetFlow data between December 2018 and June 16, 2019 to find that 28.1% of the cloud environments it surveyed had at least one fully established network connection with at least on known Rocke C2 domain. Out of those organizations, several maintained near daily connections. Meanwhile, 20% of the organizations maintained hourly heartbeats consistent with Rocke tactics, techniques and procedures (TTPs).
In addition, Rocke has also released a new tool called Godlua, which could function as an agent, allowing the group's actors to perform additional scripted operations, including denial of service (DoS) attacks, network proxying and two shell capabilities. With its research, Unit 42 discovered network traffic identification patterns within NetFlow traffic that provided unique insight into Rocket TTPs and how defenders can develop detection capabilities.
Rocke, which is also known as the Iron Group, SystemTen, Kerberods/Khugepageds, and even ex-Rocke was initially associated with ransomware campaigns through the use of its Linux-focused Xbash tool, a data-destruction malware similar in functionality to NotPetya. The activities of Rocke were originally reported in August 2018.