← All Threat Actors
Threat Actor Profile

Rocke

Aged Libra G0106
▲ High Threat
This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. In late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.
Origin

Known TTPs

Exploit Public-Facing Application
Rootkit
Obfuscated Files or Information
Web Service
Unix Shell
System Information Discovery
Application Layer Protocol
Ingress Tool Transfer
Compute Hijacking
Compile After Delivery
Dynamic Linker Hijacking
Hidden Files and Directories
Cron
Python
Network Service Discovery
Portable Executable Injection
Dead Drop Resolver
Boot or Logon Initialization Scripts
Software Packing
Registry Run Keys / Startup Folder
Linux and Mac Permissions
Process Discovery
Systemd Service
Remote System Discovery
Disable or Modify System Firewall
Deobfuscate/Decode Files or Information
Clear Linux or Mac System Logs
Private Keys
File Deletion
Web Protocols
Disable or Modify Tools
Non-Standard Port
SSH
Timestomp
Match Legitimate Resource Name or Location
Security Software Discovery

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD