VERY IMPORTANT

The “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how they’re stealing your cycles. Rocke is actively updating and pushing a new dropper using Pastebin for Command and Control (C2). Recent updates to the C2 as of March 13th, 2019 have been seen, which leads researchers to believe this campaign is ongoing. According to VirusTotal, the threat detection of the new dropper is nearly non-existent. The group has been observed in previous campaigns to use “ld.so.preload” function to hook libc functions. The hooking is used to hide the dropper and the mining software installed by the malware and prevents it from showing up in the “currently running” process list. This tactic is being utilized by the group in this new campaign. The miner uses a private mining pool hosted on DigitalOcean which is a change in the threat actor’s previous tactics.