Skip to main content

New Virus Decides If Your Computer Good for Mining or Ransomware




Security researchers have discovered an interesting piece of malware that infects systems with either a cryptocurrency miner or ransomware, depending upon their configurations to decide which of the two schemes could be more profitable.


While rensomware is a type of malware that locks your computer and prevents you from accessing the encrypted data until you pay a ransom to get the decryption key required to decrypt your files, cryptocurrency miners utilize infected system's CPU power to mine digital currency.


Both ransomware and cryptocurrency mining-based attacks have been the top threats so far this year and share many similarities such as both are non-sophisticated attacks, carried out for money against non-targeted users, and involve digital currency.

However, since locking a computer for ransom doesn't always guarantee a payback in case victims have nothing essential to losing, in past months cybercriminals have shifted more towards fraudulent cryptocurrency mining as a method of extracting money using victims' computers.

Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.


Written in Delphi programming language, the Rakhni malware is being spread using spear-phishing emails with an MS word file in the attachment, which if opened, prompts the victim to save the document and enable editing.

The document includes a PDF icon, which if clicked, launches a malicious executable on the victim's computer and immediately displays a fake error message box upon execution, tricking victims into thinking that a system file required to open the document is missing.

How Malware Decides What To Do


However, in the background, the malware then performs many anti-VM and anti-sandbox checks to decide if it could infect the system without being caught. If all conditions are met, the malware then performs more checks to decide the final infection payload, i.e., ransomware or miner.

1.) Installs Ransomware—if the target system has a 'Bitcoin' folder in the AppData section.

Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file.

2.) Installs cryptocurrency miner—if 'Bitcoin' folder doesn't exist and the machine has more than two logical processors.

If the system gets infected with a cryptocurrency miner, it uses MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background.



Besides this, the malware uses CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process.

3.) Activates worm component—if there's no 'Bitcoin' folder and just one logical processor.

This component helps the malware to copy itself to all the computers located in the local network using shared resources.

"For each computer listed in the file the Trojan checks if the folder Users is shared and, if so, the malware copies itself to the folder \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup of each accessible user," the researchers note.

Regardless of which infection is chosen, the malware performs a check if one of the listed antivirus processes is launched. If no AV process is found in the system, the malware will run several cmd commands in an attempt to disable Windows Defender.

What's more? There's A Spyware Feature As Well

"Another interesting fact is that the malware also has some spyware functionality – its messages include a list of running processes and an attachment with a screenshot," the researchers say.
This malware variant is targeting users primarily in Russia (95.5%), while a small number of infection has been noticed in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%) as well.

The best way to prevent yourself from being a victim of such attacks in the first place is never to open suspicious files and links provided in an email. Also, always keep a good backup routine and updated anti-virus software in place.


Comments

Popular posts from this blog

Spring Security with JWT for REST API

Spring is considered a trusted framework in the Java ecosystem and is widely used. It’s no longer valid to refer to Spring as a framework, as it’s more of an umbrella term that covers various frameworks. One of these frameworks is Spring Security , which is a powerful and customizable authentication and authorization framework. It is considered the de facto standard for securing Spring-based applications. Despite its popularity, I must admit that when it comes to single-page applications , it’s not simple and straightforward to configure. I suspect the reason is that it started more as an MVC application -oriented framework, where webpage rendering happens on the server-side and communication is session-based. If the back end is based on Java and Spring, it makes sense to use Spring Security for authentication/authorization and configure it for stateless communication. While there are a lot of articles explaining how this is done, for me, it was still frustrating to set it up for the f...

Java Functional Interfaces

  The term   Java functional interface   was introduced in Java 8. A   functional interface   in Java is an interface that contains only a single abstract (unimplemented) method. A functional interface can contain default and static methods which do have an implementation, in addition to the single unimplemented method. Here is a Java functional interface example: public interface MyFunctionalInterface { public void execute(); } The above counts as a functional interface in Java because it only contains a single method, and that method has no implementation. Normally a Java interface does not contain implementations of the methods it declares, but it can contain implementations in default methods, or in static methods. Below is another example of a Java functional interface, with implementations of some of the methods: public interface MyFunctionalInterface2{ public void execute(); public default void print(String text) { System.out.println(t...

Java Logger

In Java, logging is an important feature that helps developers to trace out the errors. Java is the programming language that comes with the logging approach. It provides a Logging API that was introduced in Java 1.4 version. It provides the ability to capture the log file. In this section, we are going to deep dive into the Java Logger API. Also, we will cover logging level, components, Logging handlers or appenders, logging formatters or layouts, Java Logger class, What is logging in Java? In Java, Logging is an API that provides the ability to trace out the errors of the applications. When an application generates the logging call, the Logger records the event in the LogRecord. After that, it sends to the corresponding handlers or appenders. Before sending it to the console or file, the appenders format that log record by using the formatter or layouts. Need for Logging It provides the complete tracing information of the application. It records the critical failure if any occur in ...