Palo Alto Networks believes Rarog (named after a fiery falcon from Slavik mythology) may be a new variant of the DiscordiaMiner cryptominer.
Palo Alto Networks believes Rarog (named after a fiery falcon from Slavik mythology) may be a new variant of the DiscordiaMiner cryptominer.

Three leading cybersecurity research teams separately released reports today about recent malicious cryptomining activity -- one revealed the compromise a major ad platform, another analyzed an emerging malware that infected at least 166,000 users worldwide, and a third focused on a large crop of Android-based miners.

AOL Ad Platform Compromised

Adversaries last month modified the script of an AOL advertising platform in order to infect visitors to MSN.com and other websites with a cryptocurrency miner. Researchers from Trend Micro who uncovered the plot believe this is part of a larger overall campaign that has compromised more than 500 websites.

According to a Trend Micro  blog post authored by researchers Chaoying Liu and Joseph Chen, the miner, identified as COINMINER_COINHIVE.E-JS, resulted in the company observing a 108 percent increase in unique web miner detections from Mar. 24 - 25. Its JavaScript code is reportedly based on Coinhive and uses private web mining pools, "which is typically done to avoid paying fees established for public pools," the post explains.

Visitors to the MSN home page and other sites using the ad platform did not have to interact with the ad for the malware to begin stealing their resources to mine digital currency. The operations would cease after they closed the web page. AOL removed the injected miner on Mar. 27, Trend Micro reports.

The huge increase in web miner traffic was linked to a malicious domain created on Mar. 18, although there are at least four other domains associated with the malicious script since 2017 -- a key indication that the latest attack was just on in a recent series.

Trend Micro believes that the AOL platform may have been compromised via publicly configured, unsecured Amazon Web Service (AWS) S3 buckets -- the same method that the attackers apparently used to compromise other websites and platforms during their ongoing campaign.

Analysis: Rarog Miner could be descendant of DiscordiaMiner

A relatively obscure cryptocurrency miner called Rarog has infected over 166,000 users worldwide since June 2017, but doesn't appear to have made much money for cybercriminals who bought it off dark web marketplaces.

In fact, some appear to have lost money on the deal, according to Unit 42 researchers from Palo Alto Networks. In a blog post, the company notes that a study of Rarog's observable telemetry readings shows that the largest sum earned by any known user was the U.S. equivalent of approximately $120. That's barely more than the total cost of the malware itself, which was seen priced at $104 on underground sites.

Unit 42 believes Rarog (named after a fiery falcon from Slavik mythology) may be a new variant of the DiscordiaMiner cryptominer, whose author open-sourced the code after he was reportedly accused of substituting users' cryptocurrency wallet addresses with his own. The researchers note that the timing of Rarog's emergence, just once month after DiscordiaMiner was last updated in May 2017, is likely not a coincidence.

"Based on this information, as well as the heavy code overlap made between the malware families, I suspect that [the author] re-branded DiscordiaMiner to Rarog and continued development on this newly named malware family," concludes the blog post. "This re-branding allowed him to get away from the negativity that was associated with DiscordiaMiner."

The miner does offer various features for prospective buyers, including stat tracking, multiple persistence mechanisms, the configuration of processor loads for the running miner, and the ability to infect USBs. While its primary purpose is mining Monero, Rarog can also target other currencies and execute a wide range of other botnet functions, including downloading executing additional malware and conducting distributed denial of service attacks.

Researchers also observed an administration panel that lets buyers try out the malware's interface displays two Twitter handles, one of which, "foxovsky," was connected back to a GitHub repository that hosts other malware families. Altogether, they found 161 command-and-control servers communicating with the Rarog malware family.

According to Unit 42, the majority of the cryptominer's victims reside in the Philippines, Russia and Indonesia, and over the last nine months the malware family's busiest activity was between late August to late September of last year.

Kaspersky Uncovers Android-based Cryptominers

A new Kaspersky Lab blog post asserts that cybercriminals are increasingly gravitating toward Android-based cryptominers -- and to back up this notion, the company exposed a variety of mobile applications as malicious miners.

Authored by researcher , the report groups the Android-based miners into several categories, including ones using the CoinHive software development kit that pose as popular apps and games, but did not properly function other than to show ads and mine coins. "In particular, we unearthed counterfeit versions of Instagram, Netflix, Bitmoji, and others," writes Unuchek, noting these malicious apps, identified as RiskTool.AndroidOS.Miner, were distributed via forums and third-party stores.

A separate category of miners that also masqueraded as games and programs -- including a "Zombie Fun" game, a discounts aggregator and a program called "Crypto Mining for Children" -- were based off of web frameworks such as Thunkable, Cordova, Andromo and B4A.

Kaspersky also found 23 once-legitimate apps that were affected by the cryptominer Trojan.AndroidOS.Coinge. Interestingly, the cybercriminals actually "added the malicious code to the code of other SDKs used by the app. That way, the app runs a library that does the mining," the report states, adding that researchers also detected a modification of the trojan that "does away with the need for a library" because it "adds its code to all web pages it opens."

The most common miners Kaspersky researchers found were hidden in apps for watching soccer videos, with the most popular installed 100,000+ times.

Kaspersky also found:

  • Miners that evolved from the Trojan.Clicker and Ubsob click fraud malware families.
  • Trojan.AndroidOS.Coinge.j, a miner that installs itself as a porn app or Android system app and actively monitors the device's battery and temperature to ensure that mining activities don't cause it to overheat and catch fire.
  • Another battery and temperature-monitoring miner that was installed more than 50,000 under the guise of the Vilny.net VPN app for establishing a VPN connection.