Newly discovered Rarog Cryptomining Trojan Mining Monero cryptocurrency and infected around 166,000 victims around the world that keep spreading by using various methods.
Rarog Trojan sold on the various underground forum since June 2017 and countless cybercriminals were used to compromise many victims.
Its primary target is to mine monero cryptocurrency but it also capable of mining other cryptocurrencies as well. Researchers discovered 2,500 unique samples, connecting to 161 different commands and control (C2) servers.
This Cryptomining Trojan distributing with various interesting futures such as f features, including providing mining statistics to users, configuring various processor loads for the running miner, the ability to infect USB devices, and the ability to load additional DLLs on the victim.
Most of the infected countries are Philippines, Russia, and Indonesia and this Mining Trojan used by various cyber criminals and each criminal earned up to the US $120.
Underground Russian Forum
Since 2017 it distributed various Russian underground site and this Cryptomining Trojan selling the price US $104.
Also, Buyers can have a chance to do a “test drive” by accessing the guest administration panel with the user interface the Trojan.
Also, there are two Twitter handles shown in the administration panel and the both have posted various s postings for this malware family,.
Rarog Cryptomining Trojan Family Distribution
This Cryptomining Trojan using the variously advanced techniques to avoid detection and uses multiple mechanisms to maintain persistence.
There are two main ways it using to infect the victims to mining the monero and download other Cryptomining Trojan.
An installation routine phase once it entered into the victim machine it, communicate with its command & control server to download the necessary files.
According to Palo Alto Networks, downloading and executing other malware, levying DDoS attacks against others, and updating the Trojan, to name a few. Throughout the malware’s execution, a number of HTTP requests are made to a remote C2 server.