A cryptocurrency miner known as DiscordiaMiner, which made an appearance last year, appears to have now morphed into a new variant known as Rarog, the network and enterprise security company Palo Alto Networks claims. Rarog runs only on Windows.
The company said in a blog post that its Unit 42 — a team of security researchers — had observed about 2500 unique samples of Rarog which were connecting to 161 different command and control servers.
Rarog was primarily mining the monero cryptocurrency and could provide mining statistics to users, configure various processor loads for a running miner, was able to infect USB devices, and also had the ability to load additional DLLs on a victim's system.
The name came from a fire demon in Slavic mythology and was represented as a fiery falcon, the researchers said.
{loadposition sam08}Rarog originated on various Russian-speaking underground sites in June last year and was being sold for 6000 roubles (about US$104). It had an admin panel for running a "test drive" of the malware and two Twitter handles had been noticed in this panel: arsenkooo135 and foxovsky.
Rarog's flow of execution.
It was the latter handle that enabled the Palo Alto researchers to make the connection with DiscordiaMiner. A blog post by Kaspersky Lab researchers last year had mentioned that the author of the malware had a similar handle.
"Looking at the source code to DiscordiaMiner, we see a large number of similarities with Rarog," the Palo Alto researchers wrote. "So many in fact, that we might reach the conclusion that Rarog is an evolution of DiscordiaMiner.
"Kaspersky’s blog post discussed some drama concerning this particular malware family on various underground forums. Accusations were made against the trojan’s author with substituting customer’s cryptocurrency wallet addresses with his own.
"This dispute is what ultimately led foxovsky to open-source the DiscordiaMiner program on GitHub."
Since Rarog was first advertised in June 2017 and DiscordiaMiner was last updated in May 2017, the Palo Alto researchers concluded, that, along with the heavy code overlap "foxovsky rebranded DiscordiaMiner to Rarog and continued development on this newly named malware family. This re-branding allowed him to get away from the negativity that was associated with DiscordiaMiner".
They said that as the value of various cryptocurrencies continued to remain high, more and more miners would put in an appearance.
Graphics: courtesy Palo Alto Networks