A relatively unknown cryptomining malware dubbed “Rarog” is giving cybercriminals an affordable way for entry level players to enter the field.
Named after a Slavic mythological fire demon, the malware is primarily used to mine Monero, but also has the capability to mine other currencies. To accomplish these tasks it employs several botnet techniques, such as, downloading and executing other malware, levying DDoS attacks against others, and being able to auto-update itself, according to an April 4, 2018 blog post.
Rarog also provides mining statistics to users, configures various processor loads for the running the miner, has the ability to infect USB devices, and can load additional DLLs onto a victim.
The malware was first noticed on different Russian-speaking criminal underground forums in June 2017 and is sold for 6,000 Rubles or roughly $104 at today's exchange rate.
Researchers identified 2,500 unique Raroq samples, connecting to 161 different command and control (C2) servers and confirmed over 166,000 Rarog-related infections worldwide, the majority of which were in the Philippines, Russia, and Indonesia.
The malware also offers a guest administration panel to allow potential buyers the chance to “test drive” the malware by interacting with its interface.
Researchers linked the malware to the twitter handles “arsenkooo135” and “foxovsky” and tied one of the handles to a Github repository that hosts various other malware families. Researchers said the evidence point to these two handles as the individuals behind the threat.