Content, Breach

Malware Uninstalls Security Products on Linux Cloud Servers

A new malware strain can uninstall some security products from infected Linux cloud servers, researchers from Palo Alto Network’s Unit 42 said.

The hacking crew using the malware is referred to as “Rocke,” a Chinese-speaking actor engaged in distributing and executing cryptomining malware to mine Monero cryptocurrency in Linux machines, Unit 42 security researchers Xingyu Jin and Claud Xiao wrote in a blog post. (Notes: Jin is now a Google security engineer, according to his LinkedIn profile). The Rocke hackers were first tracked by Cisco’s Talos unit last April.)

The malware attacks vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion, according to the researchers. There’s an ominous twist to the malicious code: The samples collected by Unit 42 are capable of skirting detection before showing capabilities to uninstall cloud security services developed by Chinese cloud providers Alibaba Cloud and Tencent Cloud. An earlier version of the malware only attempted to kill the Tencent Cloud Monitor process.

“The family was suspected to be developed by the Iron cybercrime group and it’s also associated with the Xbash malware we reported on in September of 2018,” the security specialists said. “In our analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would,” the blog reads.

The Rocke malware samples Unit 42 examined were able to uninstall five different cloud security and monitoring products, including:

  • Alibaba Threat Detection Service agent.
  • Alibaba CloudMonitor agent (Monitor CPU & memory consumption, network connectivity).
  • Alibaba Cloud Assistant agent (tool for automatically managing instances).
  • Tencent Host Security agent.
  • Tencent Cloud Monitor agent.

At this point, the Rocke malware hasn’t targeted third party cloud workload protection platforms such as those from Microsoft, Symantec, Trend Micro and others. The malware Rocke uses is believed to be the first family capable of homing in on and removing cloud security products, born as a direct response to agent-based cloud security solutions and a new tactic for attacking public cloud infrastructure, the researchers wrote. “The variant of the malware used by the Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure,” they said. Both the Tencent Cloud and Alibaba Cloud websites offer user guides to uninstall their cloud security products.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.