Old Malware Gives Criminals Tricky New Choice: Ransomware or Mining

Share this…

The Rakhni Trojan is now giving bad actors the ability to infect victims either with a ransomware cryptor or a miner.

An old ransomware sample has been rejiggered with a sneaky new trick – allowing adversaries to either extort money from victims via ransomware, or hijack a computer’s CPU cycles via a stealthy cryptominer.

The Rakhni Trojan (Trojan-Ransom.Win32.Rakhni), first spotted in 2013, is now giving bad actors the ability to infect victims either with a ransomware cryptor or a miner, researchers at Kaspersky Lab wrote in a report  Thursday.

“[Criminals] will in any case try to benefit from the victim: by direct extortion of money (encryptor) or by unauthorized use of user resources in their own needs (miner),” Orkhan Mamedov, researcher with Kaspersky Lab, told Threatpost via email. “If we are talking about Rakhni, even if the first two ways are not effective it uses a third way – it involves the victim in the chain of distribution of the malware (net-worm). I really hope it won’t become a trend.”

The malware, which has mostly been infecting victims in Russia, is first distributed via email spam campaigns. The phishing emails that researchers inspected contained fake corporate financial documents, leading them to believe the main targets of the criminals are companies, said Mamedov, who co-wrote the report along with researcher Egor Vasilenko.

After opening an email attachment, victims are prompted to enable editing of what the email purports to be an embedded PDF file. Once the victim clicks on the “PDF,” it launches a malicious executable.

After execution, the downloader (an executable file written in Delphi) displays a message box with an error text purporting to be from Adobe – throwing victims off track from suspecting that they have been infected.

“To hide the presence of the malicious software in the system the malware developer made their creation look like the products of Adobe Systems,” researchers said. “This is reflected in the icon, the name of the executable file and the fake digital signature that uses the name Adobe Systems Incorporated.”

Once downloaded, according to researchers,the malware then bases its decision to download the cryptor or the miner depending on the presence of a cryptocurrency wallet (the Bitcoin data folder, or %AppData%\Bitcoin) on the systems.

If such a folder exists, the downloader decides to download the cryptor. Meanwhile, if the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded.

“The number of logical processors is an abstraction that shows how many parallel tasks a computer is capable of executing,” Mamedov told Threatpost via email. “Supposedly, the criminals decided that if the infected machine is ‘powerful enough’ (i.e. it has more than 2 logical processors) it will be more profitable to mine cryptocurrency on this hardware than to extort money from its owner.”

If such a cryptocurrency folder exists, the Trojan downloads a password-protected archive to the startup director (C:\Documents and Settings\username\Start Menu\Programs\Startup) containing a cryptor module.

The cryptor executable will have the name taskhost.exe, researchers said. Interestingly, it will only start working if the system has been idle for at least two minutes, after which the executable will encrypt an array of file extensions and change them to .neitrino.

In each encrypted directory, the cryptor then creates a MESSAGE.txt file with the ransomware message.

The ransom note contains an email of attacker and a payment “deadline,” said Mamedov. “Additionally, the ransom note warns the victim that using third-party decryptors can corrupt files and even the original decryptor would not be able to decrypt them,” he told us. “The last sentence of the ransom note informs the victim that all requests will be processed by an automatic system.”


That said, decryption tools for the Rakhni ransomware are currently available.

Meanwhile, if a cryptocurrency folder down not exist, the Trojan downloads a miner module and generates a VBS script with commands for mining either the Monero or Dashcoin cryptocurrency.

“In order to disguise the miner as a trusted process, the attacker signs it with a fake Microsoft Corporation certificate and calls svchost.exe,” researchers said.

Finally, if the machine doesn’t have  a cryptocurrency folder and has just one logical processor (instead of two), the downloader jumps to its worm component. This last resort method lets it use worm-like capabilities to copy itself on all computers on the local network.

“As one of its last actions the downloader tries to copy itself to all the computers in the local network,” researchers said. “To do so, it calls the system command ‘net view /all’ which will return all the shares and then the Trojan creates the list.log file containing the names of computers with shared resources.”

The Rakhni Trojan has continued to change over the years, with this unique capability being only the latest, researchers said.  The malware writers have also tweaked the Trojan over the years to change the way it gets keys (from locally generated keys to those received from the Command and Control server), as well as their malware distribution method (from spam to remote execution methods).