Rarog Cryptomining Trojan compromises 166,000 victims worldwide

A malware family called Rarog (a fire demon that originates in Slavic mythology) is becoming an appealing and affordable tool for hackers to launch cryptocurrency mining attacks, researchers say. They say the cryptocurrency miner Trojan is low priced, easily configurable and supports multiple cryptocurrencies, making it an appealing option for hackers.

Rarog Trojan sold on the various underground forum since June 2017 and countless cybercriminals were used to compromise many victims.

Palo Alto Networks’ Unit 42 research team, which posted a blog on Wednesday after tracking Rarog for months, said the malware comes equipped with a number of features that give attackers the ability to download mining software and configure it with any parameters they wish. The Trojan has been primarily used to mine the Monero cryptocurrency, but it has the capability to mine other cryptocurrencies as well, according to the report.
This Cryptomining Trojan distributes with various interesting futures such as features, including providing mining statistics to users, configuring various processor loads for the running miner, the ability to infect USB devices and the ability to load additional dynamic-link libraries (DLLs) on the victim.

Researchers added that to date, there are roughly 2,500 unique samples in the wild, connecting to 161 different command-and-control (C&C) servers. The firm has confirmed more than 166,000 Raróg-related infections worldwide, mostly in the Philippines, Russia and Indonesia.

“The Rarog malware family represents a continued trend toward the use of cryptocurrency miners and their demand on the criminal underground,” said Unit 42’s post. “While not incredibly sophisticated, Rarog provides an easy entry for many criminals into running a cryptocurrency mining (operation). The malware has remained relatively unknown for the past nine months barring a few exceptions.”

In addition to coin mining, Raróg also employs a number of botnet techniques, including the ability to download and execute other malware, levying distributed denial-of-service (DDoS) attacks against others and updating the Trojan, to name a few.