For the past few months, Unit 42 researchers of Palo Alto Networks have investigated a relatively unknown coin mining Trojan that goes by the name ‘Rarog’.
Rarog has been sold on various underground forums since June 2017 and has been used by countless criminals since then. To date, Palo Alto Networks has observed roughly 2,500 unique samples, connecting to 161 different command and control (C2) servers.
Rarog has been seen primarily used to mine the Monero cryptocurrency, however, it has the capability to mine others. It comes equipped with a number of features, including providing mining statistics to users, configuring various processor loads for the running miner, the ability to infect USB devices, and the ability to load additional DLLs on the victim.
Rarog is in line with the overall trends we’ve seen regarding the rapidly increasing use of cryptocurrency miners. Additionally, Rarog provides an affordable way for new criminals to gain entry into this particular type of malware.
To date, we have confirmed over 166,000 Rarog-related infections worldwide. The majority of these occur in the Philippines, Russia, and Indonesia. While a large number of infections have been recorded by various criminals who have used this mining Trojan, we have seen very little recorded profits: the highest profits we have observed amount to roughly US $120.
The Trojan itself is likely named after a “Raróg”, a fire demon that originates in Slavic mythology and is typically represented as a fiery falcon.
In addition to coin mining, Rarog also employs a number of botnet techniques. It allows the attackers to perform a number of actions, such as downloading and executing other malware, levying DDoS attacks against others, and updating the Trojan, to name a few. Throughout the malware’s execution, a number of HTTP requests are made to a remote C2 server.
Rarog is able to provide telemetry those that have purchased it using the third-party MinerGate mining service. A number of MinerGate API keys were able to be retrieved, however, the profits made by these attackers were minimal at best. The most profitable attacker was found to generate roughly 0.58 Monero (XMR), and 54 ByteCoin (BCN). By today’s exchange rates, this amounts to $123.68 total. After factoring in the cost of the malware itself at $104, the attackers in question have generated very little income. In most cases, they’ve lost money.
The Rarog malware family represents a continued trend toward the use of cryptocurrency miners and their demand on the criminal underground. While not incredibly sophisticated, Rarog provides an easy entry for many criminals into running a cryptocurrency mining botnet. The malware has remained relatively unknown for the past nine months barring a few exceptions. As the value of various cryptocurrencies continues to remain high, it is likely that we’ll continue to see additional malware families with mining functionality surface.
Palo Alto Networks customers are protected against this threat in the following ways:
- All samples referenced in this blog post are appropriately marked as malicious in WildFire and Traps
- All domains used as C2 servers for Rarog are flagged as malicious
- Tracking of the Rarog malware family may be done through the AutoFocus Rarog tag