Rocke

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
Rocke, also known as the Iron Cybercrime Group, is a significant threat actor in the cybersecurity landscape. Identified by Talos in 2018, Rocke has been linked to various malicious activities, including the deployment of an ELF backdoor for financial gain. The group's primary motivation appears to be financial, utilizing botnets and ransomware to achieve their objectives. Their operations have evolved over time, with increasing sophistication evident in their malware and attack vectors. One notable payload was UPX packed and exhibited similar behavior to the file "dDNLQrsBUE.url" dropped by "TermsHost.exe." Despite targeting vulnerable Redis instances and performing worm-like operations, Rocke does not share known links with other threat actor groups that target Redis and deploy worms, such as Automated Libra (aka PurpleUrchin), Adept Libra (aka TeamTNT), Thief Libra (aka WatchDog), Money Libra (aka Kinsing), Aged Libra (aka Rocke), or Returned Libra (aka 8220). This distinct operation style further underlines Rocke's unique threat profile within the cybersecurity landscape. Furthermore, Rocke has demonstrated interest in browser-based JavaScript mining through the tool CryptoNote and browser-based exploitation via the Browser Exploitation Framework. These varied campaigns highlight the diverse infection vectors, malware, and infrastructure that this group is willing to employ to reach its goals. Evidence from GitHub suggests an affiliation between Rocke and Jiangxi Normal University, although the nature of this relationship remains unclear. The continuous evolution and diversification of Rocke's tactics underscore the importance of ongoing monitoring and research into this threat actor.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Iron Cybercrime Group
2
The Iron Cybercrime Group, also known as Rocke, is a notable threat actor in the cybersecurity landscape. This group is responsible for executing actions with malicious intent, typically driven by financial motivations. Threat actors like this can range from individuals to private companies or even
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Cybercrime
Exploit
Botnet
Malware
exploitation
Windows
Coldfusion
Redis
Github
Struts
Ransomware
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Money LibraUnspecified
1
Money Libra, also known as Kinsing, is a malicious software (malware) that has been active since late 2021. This malware primarily targets cloud-native environments and applications such as Kubernetes clusters, Docker API, Redis, Jenkins and Openfire servers, and cloud-hosted Apache NiFi instances,
KinsingUnspecified
1
Kinsing is a type of malware, short for malicious software, that is designed to exploit and damage computer systems or devices. It typically infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt o
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TeamTNTUnspecified
1
TeamTNT, a threat actor group known for its malicious activities, has been implicated in a series of sophisticated attacks on Kubernetes, one of the most complex to date. The group is notorious for deploying malware, specifically the Hildegard malware, which was identified during a new campaign. The
Thief LibraUnspecified
1
Thief Libra, also known as WatchDog, is a threat actor identified in the cybersecurity world for its malicious activities. The group's operations involve exploiting vulnerabilities to execute actions with harmful intent. A notable aspect of Thief Libra's modus operandi involves targeting Redis insta
Adept LibraUnspecified
1
Adept Libra, also known as TeamTNT, is a malicious threat actor that has been active in cybersecurity breaches since at least July 2021. The group is known for its innovative use of tools such as LaZagne to steal passwords from various operating systems, including Linux distributions in cloud-based
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Rocke Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
a month ago
Chinese Hackers Leveraging 'Noodle RAT' Backdoor
Trend Micro
a month ago
Noodle RAT Reviewing the New Backdoor Used by Chinese-Speaking Groups
Unit42
a year ago
P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
MITRE
a year ago
Rocke: The Champion of Monero Miners
MITRE
a year ago
Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows