Cryptojacking malware gets past cloud security programs by uninstalling them

Palo Alto Networks says this type of evasive technique is likely to keep popping up.
Fake coins with the Monero logo. (Getty)

Why break through a barrier if you can just remove it?

A piece of cryptojacking malware observed by Palo Alto Networks researchers is equipped to completely uninstall cloud security services from Linux-based servers before carrying out its malicious coin-mining.

In a report published Thursday, Palo Alto Networks’ Unit 42 research team said the malware is spread by the cyberthreat group “Rocke,” whose cryptojacking activity was initially documented by Cisco Talos. A Chinese-speaking threat actor, the Rocke group is known for using the computing power of infected Linux-based systems to mine the cryptocurrency Monero.

Whereas past versions of the Rocke group’s malware tried to evade detection by disabling only certain aspects of a cloud security service, the new variant simply removes the entire program, according to Palo Alto Networks. The researchers say Rocke added code that can gain administrative access on the infected server and uninstall five different cloud security and monitoring programs made by Chinese companies Tencent Cloud and Alibaba Cloud.


The products are:

  • Alibaba Threat Detection Service agent
  • Alibaba CloudMonitor agent
  • Alibaba Cloud Assistant agent
  • Tencent Host Security agent
  • Tencent Cloud Monitor agent

These types of products are installed to watch out for malware on public cloud infrastructures, and are often provided by the cloud providers themselves or by a third party. Experts have warned that cryptojackers are increasingly targeting cloud infrastructure for their mining.

“To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products,” the  report says. “As with all security products, adversaries inevitably work to evade these systems to be able to achieve their ultimate goals.”

Malware analysis by Palo Alto Networks shows that the Rocke group essentially programmed its malware to follow Tencent Cloud and Alibaba Cloud’s official instructions to uninstall their security products, posted on their respective websites. This is done without having to compromise the security programs themselves, and clears the way for the cryptojacking to take place.


“We believe this unique evasion behavior will be the new trend for malwares which target at public cloud infrastructure,” the report says.

Palo Alto networks says Tencent Cloud and Alibaba Cloud addressed the Rocke group’s workaround in their own products after the researchers reached out.

Latest Podcasts