Researchers say they have discovered a unique malware family capable of gaining admin rights on targeted systems by uninstalling cloud-security products. Instances of the malicious activity are tied to coin-mining malware targeting Linux servers.
Palo Alto Networks’ Unit 42, which published the report Thursday, said that the malware samples it found do not compromise, end-run or attack the security and monitoring products in question; they rather simply uninstall them from compromised Linux servers.
“In our analysis, these attacks did not compromise these security products: Rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would,” Xingyu Jin and Claud Xiao, Unit 42 researchers, said in a technical write-up.
Specifically, the malware samples set about uninstalling products developed by Tencent Cloud and Alibaba Cloud (Aliyun), two leading cloud providers in China that are expanding their business globally, researchers said. These security suites include key features such as trojan detection and removal based on machine learning, logging activity audits and vulnerability management.
“Palo Alto Networks Unit 42 has been cooperated with Tencent Cloud and Alibaba Cloud to address the malware evasion problem and its C2 infrastructure,” Ryan Olson, vice president of threat intelligence for Unit 42, told Threatpost. “To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products.”
The new malware is being actively used by the Rocke threat group. Rocke was first reported by Cisco Talos in July 2018, and pegged as an increasingly formidable Chinese-language threat actor leveraging a wide array of Git repositories to infect vulnerable systems with Monero-based cryptomining malware.
To deliver the malware to the victim machines, Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion, Unit 42 researcher said.
Once the malware is downloaded, it establishes a command and control server connection and downloads a shell script called “a7” on the system.
That shell script begins to execute an array of malicious activities, including killing other cryptomining processes on the system, downloading and running a coin-miner, and hiding its malicious actions from Linux through using the open source tool “libprocesshider.”
It is at this stage where the latest malware samples flaunt a function that deploys the never-before-seen trick: they can uninstall cloud workload protection platforms, the agent-based security protection solutions for public cloud infrastructure.
That includes the Alibaba Threat Detection Service agent, Alibaba CloudMonitor Agent, Alibaba Cloud Assistant agent; as well as the Tencent Host Security agent and Tencent Cloud Monitor agent.
The Tencent Cloud and Alibaba Cloud official websites provide documents to guide users about how to uninstall their cloud security products; researchers said it appears the new malware samples used by Rocke group follow these official uninstallation procedures.
Neither Tencent Cloud nor Alibaba Cloud responded to Threatpost’s request for comment.
As for the malware itself, Unit 42 researchers also suspected that the family appears to be developed by the Iron cybercrime group (the payload for Iron and Rocke’s malware are similar, and the malware reaches out to similar infrastructure, Talos researchers said in their report).
The malware is also associated with the Xbash malware, a sophisticated family in the wild disclosed by Unit 42 researchers in September, which wrecks havoc on Windows and Linux systems with a combination of data destructive ransomware and malicious cryptomining.
However, this sample’s ability to uninstall security tactics on systems brings it a step further when it comes to targeting public cloud infrastructure.
“The variant of the malware used by Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure,” researchers said in their report. “We believe this unique evasion behavior will be the new trend for malwares which target at public cloud infrastructure.”