Upgraded Rakhni malware strain can be ransomware or a cryptominer

July 08, 2018


Upgraded Rakhni malware strain can be ransomware or a cryptominer


The five-year-old Trojan-Ransom, Win32, Rakhine family has received a revamp that now lets it decide whether or not to install its conventional ransomware or to drop a cryptominer in its place.

For the most part, the injection chain remains unaffected. However, the malware moves alongside a somewhat complex path before it decides which shape it will take. During the procedure it will check to make certain the appliance is not a virtual machine, it will check for and deactivate an AV software and also Widows Defender and ultimately delete most of the footprints made in the course of the malware installation.

The malware is conveyed through spam campaigns where the electronic mail comes with a PDF attached which the receiver is urged to save and then allow correcting. When the victim tries to open the document he or she is offered with an executable that shows itself as an Adobe Reader plugin and it asks the individual to let it make modifications to their computer.

The executable, which is written in Delphi and has its strings encrypted, then offers a message box that says the PDF might not be opened, essentially to keep the sufferer from thinking anything harmful is about to occur.

The malware then begins to go through a decision sequence that will finally result in deciding what to drop onto the appliance.

It first checks that the appliance has one of the substrings:

  • \TEMP
  • \TMP
  • Registry check

It then confirms to see if the registry has Checks that in the registry there is no value HKCU\Software\Adobe\DAVersion and if it finds this is so it generates HKCU\Software\Adobe\DAVersion = True.

The following break is to confirm that at least 26 processes are running, however, it also compares these to a somewhat long list of procedure that if found will stop the setting up.

It verifies to see if the appliance under attack is a virtual machine, sets up bogus root certificates and then it hunts for a particular folder, %AppData%\Bitcoin before it makes its last decision on what to drop.

“If the folder exists, the downloader makes a decision to download the cryptor. If the folder does not exist and the machine has more than two logical processors, the miner will be copied. If there is no folder and only one rational processor, the downloader jumps to its worm part, which is explained below in the matching part of the article,” Kaspersky wrote.

The malware makes on last deposit into the target machine. It pushes a worm and attempts to copy itself to other computers on the local web.