Home Malware Programs Trojans Roarur

Roarur

Posted: October 31, 2014

Roarur is one of the backdoor Trojans preferred by a Chinese hacker group, dubbed Axiom, for compromising the networks of sensitively-placed corporations and government entities. Although Roarur's most well-publicized attacks took place in 2013, Axiom may reuse variants and updated versions of its Trojans, and Roarur may continue to be a relevant threat in 2014. Roarur's capabilities, which are typical to those of most backdoor Trojans, allow third parties to have extensive access to an infected PC without many symptoms.

Roarur: a Trojan that Slams Open a Backdoor without So Much as a Roar

Roarur (with aliases including APT.9002, Naid, McRAT, Hydra and Mdmbot) is a backdoor Trojan that saw use in attacks against such targets as the US Department of Defense's contractors and Google. These 2013 campaigns used a combination of compromised websites and fraudulent e-mail attachments to install Roarur via exploits in Internet Explorer and Adobe Reader. However, Roarur has seen usage in other circumstances and also has been known to exhibit significant structural differences between new versions. The most notable of these confirmed by malware researchers is the existence of versions of Roarur that inject their bodies directly into memory without generating any files to view on the victim's hard drive.

As with most backdoor Trojans, Roarur hides on the infected PC while giving third parties remote access to it. Major functions within Roarur's capabilities may include downloading new threats, uploading stolen information or launching commands that may be used to modify your computer in negative ways (such as disabling security functions). The same China-based organization responsible for Roarur also is verified for its associations with the Hikit rootkit, DestroyRAT, My Door, Breut and other threats associated with backdoor attacks. In some cases, Roarur may be employed for installing these additional threats. Meanwhile, the Trojan droppers responsible for Roarur may delete themselves to cover their tracks.

Keeping Chinese Trojans in China

Although there have been some incidents involving Internet Explorer's homepage reset by Roarur, most variants of this Trojan avoid displaying any obviously visible attacks. For preemptive protection from Roarur's known infection methods, malware experts recommend possible victims to exercise appropriate discretion over e-mail attachments, update their software and use a safe Web browser. Removing Roarur after a successful infection should, as with most backdoor Trojans, use your dedicated anti-malware utilities.

Roarur also is a showpiece of how Trojans may circumvent many 'common' sense methods of identifying threats. Between its use of misleading file names, its deleting of files associated with its entry and its memory injections, Roarur may be difficult or impossible to detect by a simple, visual inspection of your hard drive. New releases of Roarur variants also insure that anti-malware products must be kept equally up-to-date to best identify Roarur.

Loading...