Sunday, February 9, 2025
HomeCryptocurrency hackRarog Cryptomining Trojan Connecting to 161 Different Command and Control (C2) Servers...

Rarog Cryptomining Trojan Connecting to 161 Different Command and Control (C2) Servers & Compromise 166,000 Victims

Published on

SIEM as a Service

Follow Us on Google News

Newly discovered Rarog Cryptomining Trojan Mining Monero cryptocurrency and infected around 166,000 victims around the world that keep spreading by using various methods.

Rarog Trojan sold on the various underground forum since June 2017 and countless cybercriminals were used to compromise many victims.

Its primary target is to mine monero cryptocurrency but it also capable of mining other cryptocurrencies as well. Researchers discovered 2,500 unique samples, connecting to 161 different commands and control (C2) servers.

This Cryptomining Trojan distributing with various interesting futures such as f features, including providing mining statistics to users, configuring various processor loads for the running miner, the ability to infect USB devices, and the ability to load additional DLLs on the victim.

Most of the infected countries are Philippines, Russia, and Indonesia and this Mining Trojan used by various cyber criminals and each criminal earned up to the US $120.

Also Read: New Android Remote Access Trojan(RAT) Steals Photos, Contacts, SMS & Recording Phone Calls

Underground Russian Forum

Since 2017 it distributed various Russian underground site and this Cryptomining Trojan  selling the price US $104.

Also, Buyers can have a chance to do a “test drive” by accessing the guest administration panel with the user interface the Trojan.

Also, there are two Twitter handles shown in the administration panel and the both have posted various s postings for this malware family,.

Rarog Cryptomining Trojan Family Distribution

This Cryptomining Trojan using the variously advanced techniques to avoid detection and uses multiple mechanisms to maintain persistence.

There are two main ways it using to infect the victims to mining the monero and download other Cryptomining Trojan.

An installation routine phase once it entered into the victim machine it, communicate with its command & control server to download the necessary files.

Runtime phase helps to perform its persistence mechanism and Monero mining operation also it employs a number of botnet techniques.

According to Palo Alto Networks, downloading and executing other malware, levying DDoS attacks against others, and updating the Trojan, to name a few. Throughout the malware’s execution, a number of HTTP requests are made to a remote C2 server.

The Rarog malware family represents a continued trend toward the use of cryptocurrency miners and their demand on the criminal underground. While not incredibly sophisticated, Rarog provides an easy entry for many criminals into running a cryptocurrency mining botnet. Researchers said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Malicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Malicious packages "solanacore," "solana login," and "walletcore-gen" on npmjs target Solana developers with Windows...

PHP Servers Vulnerability Exploited To Inject PacketCrypt Cryptocurrency Miner

Researchers observed a URL attempts to exploit a server-side vulnerability by executing multiple commands...

The Defender vs. The Attacker Game

The researcher proposes a game-theoretic approach to analyze the interaction between the model defender...