Rival cryptomining gangs warring over unsecure Linux servers

Pacha Group’s malware goes toe-to-toe with Rocke for maximum computing power to launch mining attacks

Image of a fighter getting ready for a boxing match

A cryptocurrency mining group is "aggressively" targeting a key rival as it attempts to gain a greater foothold on cloud-based environments as a platform for launching more effective attacks.

Researchers have learned that Pacha Group, discovered only in February, is targeting Linux servers on a broader scale, suggesting cloud-based environments are increasingly becoming a target for malicious actors.

But these cyber criminals are also targeting rival cryptocurrency mining groups; specifically channelling efforts into disrupting the operations of a similar collective known as Rocke Group. The latter is also known to target cloud environments.

The main malware infrastructure used by Pacha Group appears to be identical to previous campaigns, although there's a "distinguishable effort" to detect and mitigate Rocke Group implants, according to Intezer.

Rocke is one of the most prominent cryptocurrency mining outfits and has run a variety of campaigns in previous months, most recently targeting Linux servers with mutatable malware in January.

Pacha, by comparison, is smaller and newer, active since September 2018, but far more aggressive. Its malware strain, dubbed Linux.GreedyAntd, uses a variety of techniques to disable or eliminate other strains implanted by rival groups on infected servers. The wider aim is to gain the largest foothold of computing power possible for cryptomining activities.

"We have presented evidence that Pacha Group is targeting cloud-based environments and being especially aggressive towards Rocke Group," said security researcher Nacho Sanmillan.

"We have based this conclusion on the process blacklist used by Pacha Group and the newly added IP blacklist which contains Rocke Group correlated artefacts.

"We have also provided a YARA rule in order to detect Pacha Group's Linux.GreedyAntd implants based on reused code among the implants are attempting to displace each other."

Intezer researchers added that while threats to cloud infrastructure are increasing, detection rates of Linux-based malware remains low. The security industry, the firm added, must do more collectively to effectively mitigate these threats.

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Oxford University COVID lab falls victim to hackers
hacking

Oxford University COVID lab falls victim to hackers

26 Feb 2021
Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021