Rakhni Trojan Determines Whether to Encrypt or Mine Dashcoin

July 8, 2018


A new variation of the Rakhni Trojan has been found by safety scientists at Kaspersky Lab. This new malware variation determines whether an appliance is suited to mining cryptocurrency. If the appliance has adequate processing power, a Dashcoin miner is downloaded and the appliance is turned into a cryptocurrency mining slave. If the probable incomes from cryptocurrency mining are small, files on the appliance will be encrypted in a typical ransomware attack.

The Rakhni Trojan is more usually linked with file encryption, even though this new feature lets the attackers maximize their returns.

The Delphi-based malware is presently being distributed through spam electronic mail. Malevolent documents are attached to the electronic mails that have an inserted link with a PDF image. If that link is double ticked, a popup window is created which requests for verification if the user wants to allow consents to AdobeReaderPlugin.exe to make modifications on their computer.

If agreed, a false notice popup message is created by AdobeReaderPlugin.exe that proposes a CommonCTL.dll file was not found. This method tells the user why the PDF file was not opened, so as not to produce doubt. The user would be led to think that their system might not open the file.

When that popup window is shut, the malware carries out a check of the setting in which it has been fixed, including checks to decide whether it’s operating in a sandbox setting. The malware also checks the procedures which are presently running on the computer, ending if any of a list of safety products is existing or if less than 26 processes are running. Tests are also carried out to check if AV software is running, and if not, Windows Defender is deactivated.

If the tests are passed, a root certificate is set up, which all of the downloaded executables are signed with, making sure that those executables are reliable. Bogus certificates have been recognized which seem to have been released by Adobe or Microsoft.

The malware carries out a check to decide which malevolent payload to download and run. In case a Bitcoin folder is existing in the %AppData% folder, the computer will have files encoded. If the folder doesn’t exist, and the computer has at least two rational processors, it will be utilized for mining Dashcoin.

A third alternative is selected if the Bitcoin folder doesn’t exist and there is only one rational processor – a worm will be downloaded that tries to spread the malware to access the Users folder and copying itself into the \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder of each accessible user.

Up to now, the malware has mainly been used to aim Russian users, even though infections have also been noticed in Kazakhstan, Germany, Ukraine, and India.

As with all other email-based attacks using attachments to spread malevolent software, the best types of defense are an innovative spam filter to avoid the electronic mails from being sent and end-user safety consciousness training to condition workers not to enable macros or grant consents to malevolent software should an electronic mail attachment be opened.