Way back in 2013 our malware analysts spotted the first malicious samples related to the Trojan-Ransom.Win32.Rakhni family. That was the starting point for this long-lived Trojan family, which is still functioning to this day. During that time the malware writers have changed:

  • the way their Trojans get keys (from locally generated to received from the C&C);
  • the algorithms used (from using only a symmetric algorithm, through a commonly used scheme of symmetric + asymmetric, to 18 symmetric algorithms used simultaneously);
  • the crypto-libraries (LockBox, AESLib, DCPcrypt);
  • the distribution method (from spam to remote execution).

Now the criminals have decided to add a new feature to their creation – a mining capability. In this article we describe a downloader that decides how to infect the victim: with a cryptor or with a miner.

Distribution

Geography of attacks

- 180702 rakhni 1 - To crypt, or to mine – that is the question

Geography of Trojan-Downloader.Win32.Rakhni

Top five countries attacked by Trojan-Downloader.Win32.Rakhni (ranked by percentage of users attacked):

Country %*
1 Russian Federation 95.57%
2 Kazakhstan 1.36%
3 Ukraine 0.57%
4 Germany 0.49%
5 India 0.41%

* Percentage of unique users attacked in each country by Trojan-Downloader.Win32.Rakhni, relative to all users attacked by this malware

Infection vector

As far as we know, spam campaigns are still the main way of distributing this malware.

- 180702 rakhni 2 - To crypt, or to mine – that is the question

Email with malicious attachment

After opening the email attachment, the victim is prompted to save the document and enable editing.

- 180702 rakhni 3 - To crypt, or to mine – that is the question

Attached Word document

The victim is expected to double-click on the embedded PDF file. But instead of opening a PDF the victim launches a malicious executable.

- 180702 rakhni 4 - To crypt, or to mine – that is the question

UAC window shown before the Trojan starts

Downloader

General information

The downloader is an executable file written in Delphi. To complicate analysis, all strings inside the malware are encrypted with a simple substitution cipher.

After execution, the downloader displays a message box with an error text. The purpose of this message is to explain to the victim why no PDF file opened.

- 180702 rakhni 5 - To crypt, or to mine – that is the question

Fake error message

To hide the presence of the malicious software in the system the malware developer made their creation look like the products of Adobe Systems. This is reflected in the icon, the name of the executable file and the fake digital signature that uses the name Adobe Systems Incorporated. In addition, before installing the payload the downloader sends an HTTP request to the address www.adobe.com.

Environment checks

After the message box is closed the malware performs a number of checks on the infected machine:

  • Self path check
    • The name should contain the substring AdobeReader
    • The path should contain one of the following substrings:
      • TEMP
      • TMP
      • STARTUP
      • CONTENT.IE
    • Registry check

Checks that in the registry there is no value HKCUSoftwareAdobeDAVersion and, if so, the malware creates the value HKCUSoftwareAdobeDAVersion = True and continues its work

  • Running processes check
    • Checks that the count of running processes is greater than 26
    • Checks that none of the processes listed in the table below are present.
alive.exe filewatcherservice.exe ngvmsvc.exe sandboxierpcss.exe
analyzer.exe fortitracer.exe nsverctl.exe sbiectrl.exe
angar2.exe goatcasper.exe ollydbg.exe sbiesvc.exe
apimonitor.exe GoatClientApp.exe peid.exe scanhost.exe
apispy.exe hiew32.exe perl.exe scktool.exe
apispy32.exe hookanaapp.exe petools.exe sdclt.exe
asura.exe hookexplorer.exe pexplorer.exe sftdcc.exe
autorepgui.exe httplog.exe ping.exe shutdownmon.exe
autoruns.exe icesword.exe pr0c3xp.exe sniffhit.exe
autorunsc.exe iclicker-release.exe.exe prince.exe snoop.exe
autoscreenshotter.exe idag.exe procanalyzer.exe spkrmon.exe
avctestsuite.exe idag64.exe processhacker.exe sysanalyzer.exe
avz.exe idaq.exe processmemdump.exe syser.exe
behaviordumper.exe immunitydebugger.exe procexp.exe systemexplorer.exe
bindiff.exe importrec.exe procexp64.exe systemexplorerservice.exe
BTPTrayIcon.exe imul.exe procmon.exe sython.exe
capturebat.exe Infoclient.exe procmon64.exe taskmgr.exe
cdb.exe installrite.exe python.exe taslogin.exe
cff explorer.exe ipfs.exe pythonw.exe tcpdump.exe
clicksharelauncher.exe iprosetmonitor.exe qq.exe tcpview.exe
closepopup.exe iragent.exe qqffo.exe timeout.exe
commview.exe iris.exe qqprotect.exe totalcmd.exe
cports.exe joeboxcontrol.exe qqsg.exe trojdie.kvp
crossfire.exe joeboxserver.exe raptorclient.exe txplatform.exe
dnf.exe lamer.exe regmon.exe virus.exe
dsniff.exe LogHTTP.exe regshot.exe vx.exe
dumpcap.exe lordpe.exe RepMgr64.exe winalysis.exe
emul.exe malmon.exe RepUtils32.exe winapioverride32.exe
ethereal.exe mbarun.exe RepUx.exe windbg.exe
ettercap.exe mdpmon.exe runsample.exe windump.exe
fakehttpserver.exe mmr.exe samp1e.exe winspy.exe
fakeserver.exe mmr.exe sample.exe wireshark.exe
Fiddler.exe multipot.exe sandboxiecrypto.exe xxx.exe
filemon.exe netsniffer.exe sandboxiedcomlaunch.exe ZID Updater File Writer Service.exe
  • Computer name check
    • The name of the computer shouldn’t contain any of the following substrings:
      • -MALTEST
      • AHNLAB
      • WILBERT-
      • FIREEYES-
      • CUCKOO
      • RSWT-
      • FORTINET-
      • GITSTEST
    • Calculates an MD5 digest of the computer name in lower case and compares it with a hundred blacklisted values
  • IP address check

Obtains the external IP address of the machine and compares it with hardcoded values.

  • Virtual machine check
    • Checks that the following registry keys don’t exist:
      • HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallOracle VM VirtualBox Guest Additions
      • HKLMSOFTWAREOracleVirtualBox Guest Additions
      • HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallSandboxie
      • HKLMSYSTEMControlSet002EnumVMBUS
      • HKLMHARDWAREACPIDSDTVBOX
      • HKLMHARDWAREACPIDSDTVirtualBox
      • HKLMHARDWAREACPIDSDTParallels Workstation
      • HKLMHARDWAREACPIDSDTPRLS
      • HKLMHARDWAREACPIDSDTVirtual PC
      • HKLMHARDWAREACPISDTAMIBI
      • HKLMHARDWAREACPIDSDTVMware Workstation
      • HKLMHARDWAREACPIDSDTPTLTD
      • HKLMSOFTWARESandboxieAutoExec
      • HKLMSOFTWAREClassesFoldershellsandbox
    • Checks that the following registry values don’t exist:
      • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionOpenGLDriversVBoxOGLDll=VBoxOGL.dll
      • HKLM\SYSTEMCurrentControlSetservicesDiskEnum

LEAVE A REPLY

Please enter your comment!
Please enter your name here