A newly discovered sample   family and now added new crypto-mining capabilities to infect victims to perform both operations based on the targeted system power.

Rakhni Ransomware family active since 2013 and malware authors now added some now future with mining capabilities.

This multi-purpose malware maintains targeting Russia(95.57%) and other Asian Pacific region including Kazakhstan, Ukraine, Germany, India.

Malware authors added many futures in newly evolved version such as change the method to get the Trojan key, algorithm, crypto-libraries and distribution method.

Attackers mainly distributing this malware through spam email that contains an attached document.

Once the target victims open the attachment then it promotes to enable editing and save the document.

Attached document contains embedded PDF file, once victims double click the file then it launches a malicious executable.

Later it drops the downloader that written in Delphi language and all strings inside the malware are encrypted.

After the execution process, it displays the fake message box with an error which is an explanation for why the PDF is not open after the double click.

- errr - Hackers Distributing Malicious PDF With Rakhni Ransomware and Crypto-MinersAlso, the attacker creates a fake digital signature that uses the name Adobe Systems Incorporated and the downloader sends the HTTP request to adobe system before installing the payload.

Once them message box gets closed then it checks the various within the infected machine such as running process, computer name, virtual machine check, registry value and other process checks.

If the any one of the checks fails the downloader will end its own process and stop any other malicious process.

Before installing the certificate the downloader drops the necessary files from the resources to the %TEMP% directory.

Based on the presence of %AppData%Bitcoin folder, malware will take the decision to download the cryptor or miner.

If the folder exists then downloader will decide to download cryptor else miner will be downloaded based on the two logical processors.

Cryptor process of performing an operation to encrypt the victim’s files using the downloader dropped crypto module.

The cryptor only starts working if the system has been idle for at least two minutes. Before encrypting files, the cryptor terminate the many processes from the infected system.

Finally, it encrypts the following file extension and changes all the file extension as  .neitrino

“.ebd”, “.jbc”, “.pst”, “.ost”, “.tib”, “.tbk”, “.bak”, “.bac”, “.abk”, “.as4”, “.asd”, “.ashbak”, “.backup”, “.bck”, “.bdb”, “.bk1”, “.bkc”, “.bkf”, “.bkp”, “.boe”, “.bpa”, “.bpd”, “.bup”, “.cmb”, “.fbf”, “.fbw”, “.fh”, “.ful”, “.gho”, “.ipd”, “.nb7”, “.nba”, “.nbd”, “.nbf”, “.nbi”, “.nbu”, “.nco”, “.oeb”, “.old”, “.qic”, “.sn1”, “.sn2”, “.sna”, “.spi”, “.stg”, “.uci”, “.win”, “.xbk”, “.iso”, “.htm”, “.html”, “.mht”, “.p7”, “.p7c”, “.pem”, “.sgn”, “.sec”, “.cer”, “.csr”, “.djvu”, “.der”, “.stl”, “.crt”, “.p7b”, “.pfx”, “.fb”, “.fb2”, “.tif”, “.tiff”, “.pdf”, “.doc”, “.docx”, “.docm”, “.rtf”, “.xls”, “.xlsx”, “.xlsm”, “.ppt”, “.pptx”, “.ppsx”, “.txt”, “.cdr”, “.jpe”, “.jpg”, “.jpeg”, “.png”, “.bmp”, “.jiff”, “.jpf”, “.ply”, “.pov”, “.raw”, “.cf”, “.cfn”, “.tbn”, “.xcf”, “.xof”, “.key”, “.eml”, “.tbb”, “.dwf”, “.egg”, “.fc2”, “.fcz”, “.fg”, “.fp3”, “.pab”, “.oab”, “.psd”, “.psb”, “.pcx”, “.dwg”, “.dws”, “.dxe”, “.zip”, “.zipx”, “.7z”, “.rar”, “.rev”, “.afp”, “.bfa”, “.bpk”, “.bsk”, “.enc”, “.rzk”, “.rzx”, “.sef”, “.shy”, “.snk”, “.accdb”, “.ldf”, “.accdc”, “.adp”, “.dbc”, “.dbx”, “.dbf”, “.dbt”, “.dxl”, “.edb”, “.eql”, “.mdb”, “.mxl”, “.mdf”, “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.kdb”, “.kdbx”, “.1cd”, “.dt”, “.erf”, “.lgp”, “.md”, “.epf”, “.efb”, “.eis”, “.efn”, “.emd”, “.emr”, “.end”, “.eog”, “.erb”, “.ebn”, “.ebb”, “.prefab”, “.jif”, “.wor”, “.csv”, “.msg”, “.msf”, “.kwm”, “.pwm”, “.ai”, “.eps”, “.abd”, “.repx”, “.oxps”, “.dot”.

Files are encrypted using an RSA-1024 encryption algorithm. The information necessary to decrypt the files is sent to the attacker by email.

“Next Miner division will perform by generating a VBS script that will be launched after an OS reboot. The script has the name Check_Updates.vbs. This script contains two commands for mining. ”

Source link


Please enter your comment!
Please enter your name here