Rocke  (Back to overview)

aka: Aged Libra

This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. In late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.

Associated Families
elf.kerberods elf.pro_ocean

2022-07-18Palo Alto Networks Unit 42Unit 42
Aged Libra
Xbash Rocke
2021-02-03Seguranca InformaticaPedro Tavares
New cryptojacking malware called Pro-Ocean is now attacking Apache, Oracle and Redis servers
2021-01-28Palo Alto Networks Unit 42Aviv Sasson
Pro-Ocean: Rocke Group’s New Cryptojacking Malware
2019-09-11Talos IntelligenceLuke DuCharme, Paul Lee
Watchbog and the Importance of Patching
2019-05-28FortinetJoie Salvio
Threat Research: New Rocke Variant Ready to Box Any Mining Challengers
2019-05-09IntezerIgnacio Sanmillan
Technical Analysis: Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud
GreedyAntd Pacha Group Rocke
2019-05-07SANS ISC InfoSec ForumsRenato
Vulnerable Apache Jenkins exploited in the wild
2019-05-07Trend MicroAugusto Remillano II, Robert Malagad
CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit
2019-03-15AnomaliThreat Research Team
Rocke Evolves Its Arsenal With a New Malware Family Written in Golang
2019-01-17Palo Alto Networks Unit 42Claud Xiao, Xingyu Jin
Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products
2018-08-30Cisco TalosDavid Liebenberg
Rocke: The Champion of Monero Miners

Credits: MISP Project