Raróg Crypto-Miner Allows Affordable Criminality

A cryptocurrency miner Trojan that goes by the name Raróg (a fire demon that originates in Slavic mythology) continues to proliferate, mining unsuspecting victim machines for Monero and other virtual currencies. Its most unusual characteristic is how cheap it is.

Palo Alto Networks’ Unit 42 researchers, which have been following Raróg for months, said that to date, there are roughly 2,500 unique samples in the wild, connecting to 161 different command-and-control (C&C) servers. The firm has confirmed more than 166,000 Raróg-related infections worldwide, mostly in the Philippines, Russia and Indonesia.

Interestingly, the Trojan comes equipped with a number of features, including providing mining statistics to users, configuring various processor loads for the running miner, the ability to infect USB devices and the ability to load additional dynamic-link libraries (DLLs) on the victim. In addition to coin mining, Raróg also employs a number of botnet techniques, including the ability to download and execute other malware, levying distributed denial-of-service (DDoS) attacks against others and updating the Trojan, to name a few.

Despite all this, Raróg provides an affordable way for new criminals to get into the game. Available on various Russian-speaking criminal underground sites, it sells for just $104 at today’s exchange rates.

“The Rarog malware family represents a continued trend toward the use of cryptocurrency miners and their demand on the criminal underground,” the researchers said in a blog. “While not incredibly sophisticated, Rarog provides an easy entry for many criminals into running a cryptocurrency mining botnet. The malware has remained relatively unknown for the past nine months barring a few exceptions. As the value of various cryptocurrencies continues to remain high, it is likely that we’ll continue to see additional malware families with mining functionality surface.”