A virus that decides whether your computer will be attacked with cryptojacking or with ransomware

Share this…

Pentest specialists discovered a malware piece that infects systems with ransomware cryptocurrency mining programs, depending on equipment specifications and configuration, to decide which of the two attacks could be more profitable.

While ransomware is a type of malware that blocks a computer and prevents access to encrypted data until a ransom is paid to remove file encryption, cryptocurrency mining uses the CPU power of the infected system to extract virtual currencies, an attack known as cryptojacking.

According to pentest experts from the International Institute of Cyber Security, both attacks of have been considered as the main information threats so far this year and share many similarities; none of these attacks require sophisticated processes, and they have to do with operations via cryptocurrencies.

Anyway, since blocking a computer for ransom does not always guarantee retribution if the victims are not interested in decrypting their information, in recent months hackers have been more inclined towards the frauds that surround the various cryptocurrencies as a method to extract money using victim’s computers.

Pentest researchers from the Russian security firm Kaspersky Labs discovered a new variant of the ransomware Rakhni, now capable to perform cryptojacking attacks.

Developed in Delphi programming language, this is spread via phishing with an email including a Microsoft Word attached file which, if opened, asks the victim to save the document and allow editing.

The document includes a PDF icon, if the user interacts with it, will run a malicious program on the victim’s computer and display a false error message at the time of execution, deceiving the victims to think that a system file is missing to open the document.

The path chosen by the malware

As this happens in the foreground, in the background the malware checks if it can be executed without detection. If all the conditions are fulfilled, the malware performs more revisions on the system to decide whether to infect with ransomware or with the mining software.

Ransomware installation

  • The ransomware is installed if the attacked system has a Bitcoin folder. Before encrypting files with the RSA-1024 encryption algorithm, the malware finishes all processes that match a predefined list of popular applications (such as an antivirus) and then displays a ransom note through a text file.

Installation of the mining program

  • The cryptocurrency miner is installed if the computer has more than two logical processors. For this, attackers use the MinerGate tool In addition, the attack uses CERTMGR. exe to install fake root certificates allegedly issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to pass the malware installation as a reliable process.

Regardless of which infection it chooses to install, the malware will check if any antivirus process starts. If an antivirus process is not found in the system, the malware will run multiple commands in an attempt to disable Windows Defender.

There are some spyware features as well

According to the researchers who discovered this, the malware also works as spyware. This malware variant has been primarily used in Russia, including a series of reports of similar attacks in countries such as Ukraine, Germany, Kazakhstan and India.

The best way to avoid being a victim of such attacks in evo never open suspicious files and links provided by an email. Also, always maintain a good backup routine and an updated antivirus.