SYMBOLCOMMON_NAMEaka. SYNONYMS

Rocke  (Back to overview)

aka: Aged Libra

This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. In late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.


Associated Families
elf.kerberods elf.pro_ocean

References
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:aged:83ea482, author = {Unit 42}, title = {{Aged Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/agedlibra/}, language = {English}, urldate = {2022-07-29} } Aged Libra
Xbash Rocke
2021-02-03Seguranca InformaticaPedro Tavares
@online{tavares:20210203:new:7f76299, author = {Pedro Tavares}, title = {{New cryptojacking malware called Pro-Ocean is now attacking Apache, Oracle and Redis servers}}, date = {2021-02-03}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/}, language = {English}, urldate = {2021-02-18} } New cryptojacking malware called Pro-Ocean is now attacking Apache, Oracle and Redis servers
Pro-Ocean
2021-01-28Palo Alto Networks Unit 42Aviv Sasson
@online{sasson:20210128:proocean:1d9aa09, author = {Aviv Sasson}, title = {{Pro-Ocean: Rocke Group’s New Cryptojacking Malware}}, date = {2021-01-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/}, language = {English}, urldate = {2021-01-29} } Pro-Ocean: Rocke Group’s New Cryptojacking Malware
Pro-Ocean
2019-09-11Talos IntelligenceLuke DuCharme, Paul Lee
@online{ducharme:20190911:watchbog:7f5240b, author = {Luke DuCharme and Paul Lee}, title = {{Watchbog and the Importance of Patching}}, date = {2019-09-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/09/watchbog-patching.html}, language = {English}, urldate = {2020-05-18} } Watchbog and the Importance of Patching
kerberods
2019-05-28FortinetJoie Salvio
@online{salvio:20190528:threat:1e65f3f, author = {Joie Salvio}, title = {{Threat Research: New Rocke Variant Ready to Box Any Mining Challengers}}, date = {2019-05-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html}, language = {English}, urldate = {2019-11-23} } Threat Research: New Rocke Variant Ready to Box Any Mining Challengers
kerberods
2019-05-09IntezerIgnacio Sanmillan
@online{sanmillan:20190509:technical:7bdfc33, author = {Ignacio Sanmillan}, title = {{Technical Analysis: Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud}}, date = {2019-05-09}, organization = {Intezer}, url = {https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/}, language = {English}, urldate = {2020-01-13} } Technical Analysis: Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud
GreedyAntd Pacha Group Rocke
2019-05-07SANS ISC InfoSec ForumsRenato
@online{renato:20190507:vulnerable:2c38a5f, author = {Renato}, title = {{Vulnerable Apache Jenkins exploited in the wild}}, date = {2019-05-07}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916}, language = {English}, urldate = {2020-01-10} } Vulnerable Apache Jenkins exploited in the wild
kerberods
2019-05-07Trend MicroAugusto Remillano II, Robert Malagad
@online{ii:20190507:cve20193396:42de798, author = {Augusto Remillano II and Robert Malagad}, title = {{CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/}, language = {English}, urldate = {2020-01-13} } CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit
kerberods
2019-03-15AnomaliThreat Research Team
@online{team:20190315:rocke:a64a1b3, author = {Threat Research Team}, title = {{Rocke Evolves Its Arsenal With a New Malware Family Written in Golang}}, date = {2019-03-15}, organization = {Anomali}, url = {https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang}, language = {English}, urldate = {2020-01-08} } Rocke Evolves Its Arsenal With a New Malware Family Written in Golang
kerberods
2019-01-17Palo Alto Networks Unit 42Xingyu Jin, Claud Xiao
@online{jin:20190117:malware:f880151, author = {Xingyu Jin and Claud Xiao}, title = {{Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products}}, date = {2019-01-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/}, language = {English}, urldate = {2020-01-07} } Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products
Rocke
2018-08-30Cisco TalosDavid Liebenberg
@online{liebenberg:20180830:rocke:7bdc336, author = {David Liebenberg}, title = {{Rocke: The Champion of Monero Miners}}, date = {2018-08-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html}, language = {English}, urldate = {2020-05-18} } Rocke: The Champion of Monero Miners
Rocke

Credits: MISP Project