Rakhni Trojan Decides Whether to Encrypt or Mine Dashcoin

A new variant of the Rakhni Trojan has been detected by security researchers at Kaspersky Lab. This new malware variant decides whether a device is suited to mining cryptocurrency. If the device has sufficient processing power, a Dashcoin miner is downloaded and the device is turned into a cryptocurrency mining slave. If the likely profits from cryptocurrency mining are low, files on the device will be encrypted in a standard ransomware attack.

The Rakhni Trojan is more commonly associated with file encryption, although this new feature allows the attackers to maximize their profits.

The Delphi-based malware is currently being distributed via spam email. Malicious documents are attached to the emails that contain an embedded link with a PDF icon. If that link is double clicked, a popup window is generated which asks for confirmation if the user wants to grant permissions to AdobeReaderPlugin.exe to make changes on their computer.

If accepted, a fake warning popup message is generated by AdobeReaderPlugin.exe that suggests a CommonCTL.dll file was not found. This tactic tells the user why the PDF file was not opened, so as not to arouse suspicion. The user would be led to believe that their system could not open the file.

Once that popup window is closed, the malware performs a check of the environment in which it has been installed, including checks to determine whether it is running in a sandbox environment. The malware also checks the processes which are currently running on the computer, terminating if any of a list of security products is present or if fewer than 26 processes are running. Checks are also performed to see if AV software is running, and if not, Windows Defender is disabled.

If the checks are passed, a root certificate is installed, which all of the downloaded executables are signed with, ensuring that those executables are trusted. Fake certificates have been identified which appear to have been issued by Microsoft or Adobe.

The malware performs a check to determine which malicious payload to download and run. If a Bitcoin folder is present in the %AppData% folder, the computer will have files encrypted. If the folder does not exist, and the computer has at least two logical processors, it will be used for mining Dashcoin.

A third option is chosen if the Bitcoin folder does not exist and there is only one logical processor – a worm will be downloaded that attempts to spread the malware to accessing the Users folder and copying itself into the \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder of each accessible user.

To date, the malware has predominantly been used to target Russian users, although infections have also been detected in Kazakhstan, Ukraine, Germany, and India.

As with all other email-based attacks using attachments to spread malicious software, the best forms of defense are an advanced spam filter to prevent the emails from being delivered and end user security awareness training to condition employees not to enable macros or grant permissions to malicious software should an email attachment be opened.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news