Rival cryptomining gangs warring over unsecure Linux servers

Pacha Group’s malware goes toe-to-toe with Rocke for maximum computing power to launch mining attacks

Image of a fighter getting ready for a boxing match

A cryptocurrency mining group is "aggressively" targeting a key rival as it attempts to gain a greater foothold on cloud-based environments as a platform for launching more effective attacks.

Researchers have learned that Pacha Group, discovered only in February, is targeting Linux servers on a broader scale, suggesting cloud-based environments are increasingly becoming a target for malicious actors.

Advertisement - Article continues below

But these cyber criminals are also targeting rival cryptocurrency mining groups; specifically channelling efforts into disrupting the operations of a similar collective known as Rocke Group. The latter is also known to target cloud environments.

The main malware infrastructure used by Pacha Group appears to be identical to previous campaigns, although there's a "distinguishable effort" to detect and mitigate Rocke Group implants, according to Intezer.

Rocke is one of the most prominent cryptocurrency mining outfits and has run a variety of campaigns in previous months, most recently targeting Linux servers with mutatable malware in January.

Pacha, by comparison, is smaller and newer, active since September 2018, but far more aggressive. Its malware strain, dubbed Linux.GreedyAntd, uses a variety of techniques to disable or eliminate other strains implanted by rival groups on infected servers. The wider aim is to gain the largest foothold of computing power possible for cryptomining activities.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"We have presented evidence that Pacha Group is targeting cloud-based environments and being especially aggressive towards Rocke Group," said security researcher Nacho Sanmillan.

"We have based this conclusion on the process blacklist used by Pacha Group and the newly added IP blacklist which contains Rocke Group correlated artefacts.

"We have also provided a YARA rule in order to detect Pacha Group's Linux.GreedyAntd implants based on reused code among the implants are attempting to displace each other."

Intezer researchers added that while threats to cloud infrastructure are increasing, detection rates of Linux-based malware remains low. The security industry, the firm added, must do more collectively to effectively mitigate these threats.

Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/security/cyber-security/355200/spacex-bans-the-use-of-zoom
cyber security

Elon Musk's SpaceX bans Zoom over security fears

2 Apr 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020