Thursday, May 22, 2025
HomeMalwareChinese Threat Actors Rocke Launching Sophisticated Crypto-mining Malware to Mine Monero Cryptocurrency

Chinese Threat Actors Rocke Launching Sophisticated Crypto-mining Malware to Mine Monero Cryptocurrency

Published on

SIEM as a Service

Follow Us on Google News

New threat actor called Rocke distributing and executing crypto-mining malware using variously sophisticated toolkit and Git repositories to mine Monero cryptocurrency.

Malicious cryptocurrency miners are significantly increasing day by day in various form to generate revenue by various cyber criminals group and individuals.

In this case, an attacker using various distribution method including  HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners.

- Advertisement - Google News

The initial stage of this campaign started in April 2018 when it leverages Chinese Git repositories to drop the malware to honeypot systems that were vulnerable to Apache Struts vulnerability.

Researcher learned that there are 2 Chinese repositories Gitee and GitLab is ultimately responsible for executing the cryptocurrency miner.

Also, the repository contains a collection of ELF executables, shell scripts, and text files with a lot more persistence mechanism.

This attack could be initiated by the same gang or individual cyber criminals who were exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271) which is Java deserialization vulnerability in the Adobe ColdFusion platform.

Apart from this attackers keep expanding the toolset that contains browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware to compromise the various platform victims.

Crypto-mining Malware with Monero Miner

The researcher observed a Struts2  honeypot system that contains a file named “0720.bin” which is located in 118[.]24[.]150[.]172:10555.

Once they visited the IP address that contains aditional 10 files “3307.bin,” “a7,” “bashf,” “bashg,” “config.json,” “lowerv2.sh,” “pools.txt,” “r88.sh,” “rootv2.sh” and “TermsHost.exe.”

One of the files called “A7” is a shell script that helps an attacker to kill the various running process on the victim’s machine and other crypto mining malware, uninstall various Chinese antivirus.

According to Cisco Talos, A file called “Config.json” is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor’s wallet as rocke@live.cn. This is why we have named the actor “Rocke”

Another file called “TermsHost.exe” is later in this campaign which is PE32 Monero miner also it called as  Monero Silent Miner.

Also, this miner can be purchased online for $14 and targets malicious actors and cybercriminals advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into “Windows processes to bypass firewalls.” Talos said.

Attackers infecting new victims via social engineering that involved with fake Adobe Flash and Google Chrome updates.

Also Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party...

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate...

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...

Hazy Hawk Targets DNS Vulnerabilities to Hijack Cloud Resources and Spread Malware

The threat actor gained attention in February 2025 after successfully hijacking a subdomain of...