Two crypto-mining groups are fighting a turf war over unsecured Linux servers

War in the Cloud: The Rocke and Pascha group are at each other's throats competing for vulnerable systems.
Written by Catalin Cimpanu, Contributor
cloud thunder

Two hacker groups are fighting to take control over as many Linux cloud-based environments as they can so they can use server resources to mine cryptocurrency behind owners' backs.

This turf war has been secretly going on since late last year, ever since the rise of a new hacker group named Pacha, which was pretty successful at challenging Rocke -- the top hacker group specialized in Monero crypto-mining operations.

Both groups operate mass-scanning operations that look for open or unpatched cloud services and servers to infect them with a multi-functional Linux-based malware strain.

The most aggressive of the two is, by far, the smaller Pacha group, which adopted a strategy of removing a long list of known crypto-mining malware strains on each server it infected.

Using this approach, Pacha hackers have slowly carved out a large piece on the crypto-mining scene.

Pacha going after Rocke

And according to a report published today, the Pacha Group paid special attention to identifying and removing versions of Rocke's miner, most likely in an attempt to eat away at its rival's "market share."

This trick of removing competitors from infected servers is also present in the Rocke group's malware, according to Nacho Sanmillan, Intezer Labs security researcher.

"Although [Rocke] does try to eliminate some generic miners, it is a smaller set in comparison with what Pacha does," Sanmillan told ZDNet.

Currently, Rocke still has an advantage over Pacha due to the superiority of its malware, which has recently received the ability to uninstall cloud-based security products.

However, the Pacha Group is catching up quickly, having recently added support for an Atlassian Confluence server vulnerability that is one of today's most exploited security flaws [1, 2, 3].

Crypto-mining groups like targeting the cloud

While initially crypto-mining operations targeted desktop users and standalone web or FTP servers, there has been a paradigm shift at the start of 2018.

At the time, a large number of crypto-mining groups realized that the Linux and Windows servers part of cloud infrastructure had access to far more processing power than isolated systems, and hackers shifted their focus to targeting cloud-based technologies such as Docker and Kubernetes as a result.

Since then, crypto-mining groups have diversified their "exploit portfolio" to target other technologies typically found in cloud-based environments, such as Jenkins systems, Confluence servers, Apache Struts, JBoss, and others.

Seeing two botnets fight for their victims isn't novel. This happens all the time, especially with IoT botnets, which often compete for the same routers and IoT devices and often include mechanisms to sabotage competitors, and even patch devices so nobody else can hack them.

Seeing malware operations trying to sabotage each other is a tell-tale sign that the market is getting crowded -- which is no surprise since crypto-miners are one of today's most popular and most active malware categories.

Cloud services: 24 lesser-known web services your business needs to try

Related malware and cybercrime coverage:

Editorial standards