Unlucky dip: This malware delivers either ransomware or cryptocurrency mining software to your PC

Rakhni Trojan has evolved to examine the infected PC to determine which form of malware will be best to install.
Written by Danny Palmer, Senior Writer

An ever-evolving form of malware has added a new tactic which sees it choose to deliver ransomware or a cryptojacker depending on the circumstances of the infected victim.

If an infected computer contains a bitcoin wallet, the malware will install file-encrypting ransomware -- if there's no pre-existing cryptocurrency folder and the computer is capable of mining cryptocurrency, a miner will be downloaded and installed for the purposes of exploiting the PC's power to generate cryptocurrency.

The cryptocurrency miner is the latest addition to Rakhni Trojan, a malware family that has existed since 2013 and has continually evolved over its five-year existence. It appears that that those behind the malware are looking to exploit the rise of cryptocurrency mining malware while also combining it with their traditional attacks.

"It's just another example of the cynical attitude of criminals to their victim. They will in any case try to benefit from the victim: by direct extortion of money or by unauthorized use of user resources in their own needs," Orkhan Mamedov, malware analyst at Kaspersky Lab told ZDNet.

Researchers at Kaspersky Lab have been analysing Rakhni since it first emerged and have detailed its recent addition of a cryptocurrency miner.

Like many cyber attacks, the Rakhni campaign begins with a phishing email sent out to potential victims. This particular campaign focuses on Russia, with over 95 percent of victims in the country and the spam emails written in Russian.

SEE ALSO: Cryptocurrency-mining malware: Why it is such a menace and where it's going next

In this instance, the emails are designed to look like messages concerning financial documents and come with a Microsoft Word attachment in which a malicious payload is waiting. The user is encouraged to enable editing so that the payload can take advantage of the macros required to ensure infection.

The victim is then encouraged to open an embedded PDF, which isn't launched -- with a malicious executable being launched instead and the user's computer becoming infected with the malware. An error message is displayed in order to avoid the user becoming suspicious about the lack of a PDF being opened.

Once installed, Rakhni performs environmental checks on the compromised computer in order to aid it coming to the decision over whether to install ransomware or a miner.

If a cryptocurrency wallet is already on the computer, ransomware will be downloaded and executed on the machine -- but only after the system has been idle for two minutes -- resulting in files being encrypted with a '.neitrino' extension.

Victims are presented with a ransom note written in Russian which demands payment in three days and an email contact address for the attacker.


The Rakhni ransom note - with annotation from researchers.

Image: Kaspersky Lab

"The ransom note warns the victim that using third-party decryptors can corrupt files and even the original decryptor would not be able to decrypt them. The last sentence of the ransom note informs the victim that all requests will be processed by an automatic system," said Mamedov.

However, despite this threat, decryption tools for Rakhni are available.

SEE ALSO: Ransomware: An executive guide to one of the biggest menaces on the web

If no wallet is on the machine, a miner is downloaded instead -- and it appears to be able to exploit the power of the victim's processor to provide the attackers with either Monero or Dashcoin cryptocurrency -- as they're much simpler to mine than bitcoin is, along with providing additional anonymity.

In order to disguise the miner as a trusted process, the attacker signs it with a fake Microsoft Corporation certificate.

In the event that conditions on the compromised machine aren't deemed acceptable for either installing ransomware or a miner, Rakhni has another trick up its sleeve: it uses a worm-like function in an effort to copy itself onto other machines on the network and unleash its malicious operations from there.

Despite a downturn in infections, ransomware is still a successful means for cyber criminals to make money -- but the addition of the miner demonstrates that those behind Rakhni are open to new attack techniques, especially when they are as subtle as mining.

"We think the criminals chose to mine selected cryptocurrencies because of two main reasons: they are profitable while mining on CPU and they provide high anonymity," said Mamedov.

"The fact that the malware can decide which payload it uses to infect the victim provides yet another example of the opportunistic tactics used by cybercriminals," he added.


Editorial standards