Rocke

Rocke, also known as the Iron Cybercrime Group, is a significant threat actor in the cybersecurity landscape. Identified by Talos in 2018, Rocke has been linked to various malicious activities, including the deployment of an ELF backdoor for financial gain. The group's primary motivation appears to be financial, utilizing botnets and ransomware to achieve their objectives. Their operations have evolved over time, with increasing sophistication evident in their malware and attack vectors. One notable payload was UPX packed and exhibited similar behavior to the file "dDNLQrsBUE.url" dropped by "TermsHost.exe." Despite targeting vulnerable Redis instances and performing worm-like operations, Rocke does not share known links with other threat actor groups that target Redis and deploy worms, such as Automated Libra (aka PurpleUrchin), Adept Libra (aka TeamTNT), Thief Libra (aka WatchDog), Money Libra (aka Kinsing), Aged Libra (aka Rocke), or Returned Libra (aka 8220). This distinct operation style further underlines Rocke's unique threat profile within the cybersecurity landscape. Furthermore, Rocke has demonstrated interest in browser-based JavaScript mining through the tool CryptoNote and browser-based exploitation via the Browser Exploitation Framework. These varied campaigns highlight the diverse infection vectors, malware, and infrastructure that this group is willing to employ to reach its goals. Evidence from GitHub suggests an affiliation between Rocke and Jiangxi Normal University, although the nature of this relationship remains unclear. The continuous evolution and diversification of Rocke's tactics underscore the importance of ongoing monitoring and research into this threat actor.