{"id":20571,"date":"2018-07-06T05:00:43","date_gmt":"2018-07-06T09:00:43","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=20571"},"modified":"2019-11-15T22:33:54","modified_gmt":"2019-11-15T11:33:54","slug":"rakhni-miner-cryptor","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/rakhni-miner-cryptor\/20571\/","title":{"rendered":"Rakhni Trojan: To encrypt and to mine"},"content":{"rendered":"

We recently posted<\/a> that ransomware is giving way to miners<\/a> at the top of the online threat rankings. In line with this trend, the Trojan ransomware Rakhni, which we\u2019ve been watching since 2013, has added a cryptocurrency mining module to its arsenal. What\u2019s interesting is that the malware loader is able to choose which component to install depending on the device. Our researchers figured out how the updated malware works and where the danger lies.<\/p>\n

Our products spotted Rakhni in Russia, Kazakhstan, Ukraine, Germany, and India. The malware is distributed mainly through spam mailings with malicious attachments. The sample that our experts studied, for example, was disguised as a financial document. This suggests that the cybercriminals behind it are primarily interested in corporate \u201cclients.\u201d<\/p>\n

A DOCX attachment in a spam e-mail contains a PDF document. If the user allows editing and tries to open the PDF, the system requests permission to run an executable file from an unknown publisher. With the user\u2019s permission, Rakhni swings into action.\"\"<\/a><\/p>\n

<\/strong><\/p>\n

Like a thief in the night<\/h2>\n

<\/p>\n

When it\u2019s started, the malicious PDF file appears to be a document viewer. First, the malware shows the victim an error message explaining why nothing has opened. Next, it disables Windows Defender and installs forged digital certificates<\/a>. Only when the coast seems clear does it decide what to do with the infected device \u2014 encrypt files and demand ransom or install a miner.<\/p>\n

Finally, the malicious program tries to spread to other computers inside the local network. If company employees have shared access to the Users folder on their devices, the malware copies itself onto them.<\/p>\n

<\/strong><\/p>\n

Mine or encrypt?<\/h3>\n

<\/p>\n

The selection criterion is simple: If the malware finds a service folder called Bitcoin on the victim\u2019s computer, it runs a piece of ransomware that encrypts files (including Office docs, PDFs, images, and backups) and demands a ransom payment within three days. Details of the ransom, including how much, the cybercriminals kindly promise to send by e-mail.<\/p>\n

If there are no Bitcoin-related folders on the device, and the malware believes it has enough power to handle cryptocurrency mining, it downloads a miner that surreptitiously generates Monero, Monero Original, or Dashcoin tokens in the background.<\/p>\n

<\/strong><\/p>\n

Don\u2019t be a victim<\/h3>\n

<\/p>\n

To avoid getting infected by Rakhni and having real damage inflicted on your company, be very wary of incoming messages, especially ones received from unfamiliar e-mail addresses. If you\u2019re in any doubt at all about whether to open an attachment, don\u2019t. Also, pay close attention to operating system warnings: Don\u2019t run apps from unknown publishers, especially if the names sound similar to popular programs.<\/p>\n

In the fight against miners and cryptors in the corporate network, you won\u2019t go wrong by taking these measures:<\/p>\n