2-in-1: Ransomware and Coinminer with Worm Capabilities

Delaware, USA – July 6, 2018 – The new version of Rakhni malware is spreading in the wild, it analyzes a victim’s system and determines which component to install: ransomware or coinminer. Researchers from Kaspersky Lab have published an analysis of this somewhat unusual malware. Rakhni trojan has been known for 5 years, and attackers are constantly upgrading it to maximize their profit. The new modification of the virus spread via spam campaigns using social engineering techniques. The downloader disguises as Adobe products and checks the system before downloading the main components to make sure it is not in the sandbox, and there are no running tools for malware analysis. If at least one check fails, the downloader self-deletes. If successful, Rakhni installs a fake Microsoft or Adobe root certificate into the system, and all its components are signed with these certificates. Then it searches for the ‘%AppData%\Bitcoin’ folder if malware finds the folder, it downloads and installs ransomware component, otherwise – it analyzes the system resources. If the infected system has sufficient CPU power, the malware drops the coinminer component, in another way, Rakhni tries to copy itself to other systems on the local network.

Ransomware continues to evolve, and the cybercriminals behind them continue to look for ways to maximize earnings. For early ransomware detection, you can leverage the Ransomware Hunter use case, which helps SIEM to detect malware at the initial stage of the attack.