Thanks to Monero, there has been an increase in the adaptation of remote mining activities by criminals. From Ransomware to Miner, criminals have been trying to find easier methods to monetize their activities and providing easy to implement methods of infection, there has been a surge in criminal activity across the networks.
Rarog is one such example, the creators are providing multiple options to mining various crypto currencies, furthermore they are offering this solution at a very cheap price, which lured the hackers/Criminals in hordes and in turn the result has been a huge rise in the number of infections across the globe.
According to the research, Philippines and Indonesia are the worst hit; however, eScan’s multi-layered approach in securing the end-points has been instrumental in preventing such attacks. eScan detects Rarog as Trojan.GenericKD.30435309
Assessment of Rarog
Remote Access
Reads terminal service related keys (often RDP related)
Uses network protocols on unusual ports
Spyware
POSTs files to a web server
Persistence
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process
Fingerprint
Reads the active computer name
Reads the cryptographic machine GUID
Evasive
Tries to sleep for a long time (more than two minutes)
Spreading
Opens the MountPointManager (often used to detect additional infection locations)
Anti-Detection / Stealth
Creates a resource fork (ADS) file (often used to hide data)
Queries kernel debugger information
Queries process information
Terminates other processes using tskill/taskkill
For further information: read the eScan blog
Advisory:
- Keep your antivirus software updated constantly, this will protect you from all types of threats from the network
- Make sure you download apps and updates from Google play store or official websites.
- Download apps from the trusted site and do check the user ratings on it before you download
- Make sure all the basic softer on your system is up-to-date like Oracle, Java, and Adobe.
- Follow the 3-D security policy in organizations, Understand Requirements to decide on a suitable security policy, train your staff on the policy and finally implement the policy.
- Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on the endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments would infect your system.
- eScanAV Anti-Virus Toolkit (MWAV) is a FREE utility that enables you to scan and clean Viruses, Spyware, Adware and any other Malware that may have infected your computer.
- Regularly back up all your important files.