Rarog Trojan ‘Easy Entry’ For New Cryptomining Crooks, Report Warns

A malware family called Rarog is becoming an appealing and affordable entry point for hackers to run cryptocurrency mining campaigns, researchers say.

A malware family called Rarog is becoming an appealing and affordable tool for hackers to launch cryptocurrency mining attacks, researchers say. They say the Trojan is low priced, easily configurable and supports multiple cryptocurrencies, making it an appealing option for hackers.

Palo Alto Networks’ Unit 42 research team, which posted a blog on Wednesday after tracking Rarog for months, said the malware comes equipped with a number of features that give attackers the ability to download mining software and configure it with any parameters they wish. The Trojan has been primarily used to mine the Monero cryptocurrency, but it has the capability to mine other cryptocurrencies as well, according to the report.

“The Rarog malware family represents a continued trend toward the use of cryptocurrency miners and their demand on the criminal underground,” said Unit 42’s post. “While not incredibly sophisticated, Rarog provides an easy entry for many criminals into running a cryptocurrency mining (operation). The malware has remained relatively unknown for the past nine months barring a few exceptions.”

Rarog recently came on the radar when security firm Flashpoint stated in a report earlier this week that criminals were targeting the open-source e-commerce platform Magento with an array of malware families – including Rarog – since 2016. That left hundreds of e-commerce sites compromised by hackers to steal credit card numbers and inject cryptominers, said Flashpoint.

“Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner,” according to Flashpoint’s report.

Unit 42 said that since June 2017, over 166,000 Rarog-related infections have been confirmed worldwide, mostly occurring in the Philippines, Russia and Indonesia.

The Rarog Trojan employs a number of techniques, according to Unit 42. For example, “It allows the attackers to perform a number of actions, such as downloading and executing other malware, levying DDoS attacks against others, and updating the Trojan, to name a few. Throughout the malware’s execution, a number of HTTP requests are made to a remote C2 server,” according to Unit 42’s report.

The malware also provides mining statistics to users, configures various processor loads for the running miner, and enables attackers to infect USB devices, as well as load additional DLLs on a victim’s sytem.

Persistence is another key feature of Rarog, and the malware uses multiple mechanisms to maintain persistence on the victim’s systems, including the use of the Run registry key, scheduled tasks, and shortcut links in the startup folder, according to Unit 42.

“As with other types of cryptojacking malware, Rarog is designed to be persistent,” Troy Mursch, a security researcher at Bad Packets Report, told Threatpost. “You can’t simply kill the process.”

In addition, the malware is affordable, said Unit 42 researchers – it sells for about $104 on underground forums. “Additionally, a guest administration panel is provided to allow potential buyers the chance to do a “test drive” by interacting with the interface,” according to Unit 42.

The easy entry comes at a cost for criminals – Unit 42 researchers said that they have seen very little recorded profits from Rarog malware attacks, the highest profits observed amounting to roughly $120.

Cryptocurrency mining has spiked dramatically over the past year. In February researchers said they found cryptojacking code hidden on the Los Angeles Times’ interactive Homicide Report webpage that was quietly harnessing visitors’ CPUs to mine Monero cryptocurrency. In the same month, more than 4,200 websites, including many run the U.K. and U.S. governments, were infected by a Monero cryptocurrency miner delivered through a hosted accessibility service.

Looking ahead Mursch said that he sees Rarog killing off other forms of cryptojacking malware. “We’ve seen this behavior before… to maximize the CPU resources available to Rarog for cryptocurrency mining… while preventing any ‘competitors’ from using the affected device. This is simply done by checking system processes for known strings,” he said.

Suggested articles