Security researchers in Russia has found a unique piece of Malware that infects systems with either ransomware or Cryptocurrency mining tools, depending upon they configurations to decide which of the two schemes could be more profitable on your device.
Ransomware is a type of malware that systematically locks down your computer and prevents you from accessing the encrypted data within the device, sometime acrossa whole network, until you decide to pay a ransom to get the decryption key required to decrypt your files – most well known ransomeware of late is WannaCry, a 2017/2018 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. Whilst Cryptocurrency Minining or or otherwise known as Cryptomining, is a process in which transactions for various forms of Cryptocurrency which are varied and added to the blackchain digital ledger. Also known as altcoin mining, cryptocoin mining, or Bitmining, cryptocurrency mining has increased both as a topic and activity as cryptocurrency real-world usaged it’s self has grown expenentially in the last few years.
Ransomware has previously been the most effective way of attacking a user, but Ransomware doesn’t always guarantee a payback especially if the victim has nothing important in their local disks. This has prompted a shift of cyber crime focus more towards fraudulent cryptocurrency mining as a method of extracting money using victims’ computers.
Researchers at Russian security firm Kaspersky Labs have discovered a new variant of the Rakhni ransomeware family, which has now been upgraded to included bitmining capabilities that allows the virus to chose as to which attack it will execute.
Written in Delphi programming language, the Rakhni malware is being spread using spear-phishing emails with an MS word file in the attachment, which if opened, prompts the victim to save the document and enable editing.
The document includes a PDF icon, which is clicked, launches a malicious executable on the victim’s computer and immediately displays a fake error message box upon execution, tricking victims into thinking that a system file required to open the document is missing.
How does it decide on a Mining or Ransomware attack?
In the background the malware performs many anti-VM and anti-sandbox checks to decide if it could infect the system without being caught. If all conditions are met, the malware will then perform more checks to the users system to decide what the final execution of the attack, i.e., ransomware or bitmining.
1.) Installs Ransomware—if the target system has a ‘Bitcoin’ folder in the AppData section.
Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file.
2.) Installs cryptocurrency miner—if ‘Bitcoin’ folder doesn’t exist and the machine has more than two logical processors.
If the system gets infected with a cryptocurrency miner, it uses MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background.
Besides this, the malware uses CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process.
3.) Activates worm component—if there’s no ‘Bitcoin’ folder and just one logical processor.
This component helps the malware to copy itself to all the computers located in the local network using shared resources.
“For each computer listed in the file the Trojan checks if the folder Users is shared and, if so, the malware copies itself to the folder \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup of each accessible user,” the researchers note.
Regardless of which infection is chosen, the malware performs a check if one of the listed antivirus processes is launched. If no AV process is found in the system, the malware will run several cmd commands in an attempt to disable Windows Defender.