Malware Decides Whether to Infect Its Victim with a Cryptor or Miner

Scam Virus Spyware Malware Antivirus Concept

A Trojan known to be in existence since 2013 has made a fresh appearance. Experts say it can change the nature of the attack on its own.

Cybersecurity experts have been taken aback by a new phenomenon in which a certain type of malware makes its own decision after infecting a system about whether it should indulge in stealing data and put up a ransom demand, or simply take over the system to do crypt. o-mining tasks on the sly.

And the worst part here is that the Trojan was first discovered five years ago, in 2013, and the hackers appear to have reworked it to give it this new capability.

What concerns cybersecurity experts is that it does not give away its true identity and hides behind dialogue boxes that indicate the program is certified by Microsoft Corporation or Adobe, while in reality, these are fake certificates.

The Russian cybersecurity company Kaspersky Labs has taken the lead in publishing the complete details of how the malware infects and takes over systems.

A Brief Recount of How the Malware Attacks

This Trojan was named Rakhni and is identified as being part of the “Trojan-Ransom.Win32.Rakhni” family of malware.

The age-old method of planting a spam email attachment is employed in this case as well. The attackers have chosen a PDF document as the carrier of the Trojan, and the victim will invariably click on the download button to open the document.

And here’s where the real trouble starts, as the control and command (C&C) center takes over and will manipulate the Trojan from here on.

In a series of steps, the user will see that the file is trying to obtain some permissions from Adobe to open the PDF file while it is downloading the malware in the background.

At this stage, the Trojan makes the decision to either download the cryptor or the miner, and this decision is made depending on the presence of a folder labeled “%AppData%\Bitcoin.”

If this folder is available on the system for any reason, then the cryptor download happens automatically and if not, the Trojan decides to engage your computer to do cryptocurrency mining on its own, without your knowledge.

If the cryptor download is effected, then all files will be encrypted and the owner of the device will be requested to pay up the ransom in order to decrypt and recover their data.

Monero and Dashcoin Are the Currencies Being Mined

The analysts at Kaspersky observed that this mining operation by the re-engineered Trojan Rakhni is for the cryptocurrency Monero and in certain cases, Dashcoin.

The hacker may later convert it to Bitcoin or whatever currency he chooses.

The researchers observed that there is a system to block or disable Windows Defender and execute a series of commands to ensure the mining process is carried on in the background with reports being forwarded to the remote server.

And in the end, as it happens with all such cyberattacks, the malware will cover its tracks through deleting all the files it had created.

So Far, Limited Geographies Affected

Cryptor in the form of binary code, 3D illustration

The Russian cybersecurity company Kaspersky Labs has taken the lead in publishing the complete details of how the malware infects and takes over systems.

Russia is the country where almost 96 percent of the “Trojan-Downloader.Win32.Rakhni” attacks were reported from.

Although four or five more countries are also on the list, they are proportionately insignificant in terms of the percentage of attacks seen.

Within the Russian Federation, it is fairly spread across the country. Another aspect that came out was that the malware spares individual computer users and attacks only companies.

This Trojan has been transforming over the course of years, and each time causing more harm to the computer systems its handlers choose to attack.

The victims may be ruining their fortunes, but those behind creating this malware appear to be a few steps ahead of the ones finding solutions for them.

Even in this present case, the Kaspersky Lab analysts who have produced the reports with clear screenshots and evidence are based out of Russia, where the Trojan has caused the maximum extent of damage.

Kaspersky has the reputation to offer cybersecurity products and services throughout the world. The experts advise that by taking a series of steps in terms of security of systems and networks, one can avert any cyberattack on the ground.

But still, there appears to be a lot of work to do among the cybersecurity community to divert the advancement of such malware.

The unscrupulous elements repeatedly show that they are producing more malicious programs than the developers of anti-malware programs can keep up with.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.