New Rakhni trojan can encrypt files or mine cryptocurrency

A new version of Rakhni Trojan has added a cryptocurrency mining capability to its feature-set. A new cyber campaign discovered by Kaspersky researchers uses a downloader to either install a cryptor or miner on victim computers. 

The family of ransomware was first identified back in 2013 and has gone through numerous updates since then. 

The latest cyber attacks mainly affects users in Russia (over 95% of attacks worldwide), but also impacted users to a lesser extent in Kazakhstan, Ukraine, Germany and India. 

According to a Kaspersky Lab blog post, the malware is typically delivered via SPAM campaign with an embedded malicious PDF document. Once clicked, the user launches the malicious executable/downloader. 

After a series of system and environmental checks, it proceeds to install a fake root certificate used to sign future malware executables. The fake certs claim to be from Microsoft or Adobe to help avoid detection.  

The next phase in the attack is the downloader will make a decision to download the cryptor or miner depending on the presence of crypto app related folder (i.e., %AppData%\Bitcoin). If the folder exists, then the cryptor gets installed. If the folder does not exist (and the system has more than two logical processors), then the miner will be downloaded. 

For the Cryptor option, the malware will encrypt files using an RSA-1024 encryption algorithm. 

What is also interesting is if the system only has one logical processor, the downloader will proceed to propagate a worm component to other systems on the local network.

Kaspersky describes the worm threat: 

 “As one of its last actions the downloader tries to copy itself to all the computers in the local network. To do so, it calls the system command ‘net view /all’ which will return all the shares and then the Trojan creates the list.log file containing the names of computers with shared resources. For each computer listed in the file the Trojan checks if the folder Users is shared and, if so, the malware copies itself to the folder \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup of each accessible user.”

For the Miner option, the trojan proceeds to create a VBS script that will launch processes to mine for Monero and Monero Original cryptocurrencies. It may also attempt to mine for Dashcoin depending on the presence of a certain file in the system. 

The trojan will also look to disable Windows Defender in the system if no other AV processes were found on the system. 

Make sure your system anti-malware can monitor and detect for various Rakhni downloader, cryptor or miner components. See the Rakhni detection verdicts and indicators of compromise (IoC) also in the blog post. 

Leave a Reply