Brute-Force Attacks Used to Download Rarog Miner via Magento Sites

Cryptocurrency mining is on the rise, and parties interested in using miners are employing all kinds of methods to achieve success. In the past, we have reported miners that were introduced to users using an image of Ryan Gosling, a vulnerability that allowed infecting 500,000 Windows hosts, as well as security holes that enabled a world-wide attack by RubyMiner. Although more conventional kinds of malware are still being created and spread, there is no denying that more and more malicious parties are focusing all of their resources on miners because they can ensure better success rates. When a miner is activated, it uses up the affected system’s resources to mine cryptocurrency, which is a virtual currency that goes straight into the pocket of the said malicious parties. According to the latest findings, attackers have decided to exploit Magento, an open-source e-commerce platform, to mine Monero.


According to the findings of researchers at Flashpoint, at least 1,000 administration panels that belong to Magento were exploited using brute-force attacks. Remote attackers were found to use default Magento credentials to gain administrative rights. Unfortunately, it appears that the responsibility falls onto the heads of administrators themselves who, reportedly, have not been able to secure the credentials. If the attack manages to take full control of the site’s Magento CMS administration panel, they can add script without anyone’s notice. According to analysis, the attacker added malicious code to the core file, which permitted them to access sensitive information. This allowed cyber criminals to steal personal credit card information. A malicious file posing as the authentic Adobe Flash Player update was introduced for the attack, and this is the file that contained malicious code that would download AZORult, a malicious Trojan that would then be used to download anything that cyber criminals wanted. In most cases, the infection was used to download the cryptocurrency miner called “Rarog.”

It does not look like the attackers behind the Rarog have a specific target; however, it was found that among the victims, there have been quite a few from healthcare and education industries. Most victims were found in the United States, as well as countries in Europe. Although the victims are unlikely to notice or understand the activity of the AZORult Trojan because this threat is silent, and detecting it manually can be difficult, the activity of the Rarog miner should be much more noticeable. That is because once in action a miner depletes resources, which makes the system’s performance strained. In extreme cases, the computer could overheat and crash, which could cause damage to the hard drive. It is easy to check the performance levels via the “Performance” tab on the Task Manager. If the performance is anywhere over 50% without any known programs opened and running, it is important to check what is using the resources. Magento administrators can discover this when testing their services or when they get complaints from users.

All Magento administrators are advised to update the logins of their content management system logins. The victims of the security breaches should have been notified about it already, but even those admins who have not been affected by the brute-force attacks should update their passwords, which need to be complex enough to withstand attacks. Using a two-factor authentication system is recommended as well. If passwords are strong, and all security vulnerabilities are patched, Magento sites should be safe again. Of course, it is important to note that other e-commerce CMSs exist as well, including Powerfront CMS or OpenCart. These could be targeted in the same way as Magento sites. While Magento admins have to do their part, the users of these sites need to be careful as well. Opening random files – even if they pose as legitimate updaters – can be dangerous. Also, if the system is overloading, the issue needs to be investigated thoroughly. Finally, all users need to be cautious about the sites they use to purchase online goods.


Kremez, V., Bashir, A., Burbage, P. April 2, 2018. Compromised Magento Sites Delivering Malware. Flashpoint.
Trend Micro. April 4, 2018. Magento-Based Websites Hacked to Steal Credit Card Data and Install Cryptocurreny-Mining Malware. Trend Micro.