Saturday, April 12, 2025
HomeRansomwareHackers Distributing Malicious PDF that Perform both Ransomware and Crypto-Mining Attack

Hackers Distributing Malicious PDF that Perform both Ransomware and Crypto-Mining Attack

Published on

SIEM as a Service

Follow Us on Google News

A newly discovered malicious PDF sample distributing Rakhni ransomware family and hackers now added new crypto-mining capabilities to infect victims to perform both operations based on the targeted system power.

Rakhni Ransomware family active since 2013 and malware authors now added some now future with mining capabilities.

This multi-purpose malware maintains targeting Russia(95.57%) and other Asian Pacific region including Kazakhstan, Ukraine, Germany, India.

- Advertisement - Google News

Malware authors added many futures in newly evolved version such as change the method to get the Trojan key, algorithm, crypto-libraries and distribution method.

Malware Infection Process

Attackers mainly distributing this malware through spam email campaign that contains an attached document.

Once the target victims open the attachment then it promotes to enable editing and save the document.

Attached word document contains embedded PDF file, once victims double click the file then it launches a malicious executable.

Later it drops the downloader that written in Delphi language and all strings inside the malware are encrypted.

After the execution process, it displays the fake message box with an error text which is an explanation for why the PDF is not open after the double click.

Also, the attacker creates a fake digital signature that uses the name Adobe Systems Incorporated and the downloader sends the HTTP request to adobe system before installing the payload.

Once them message box gets closed then it checks the various within the infected machine such as running process, computer name, virtual machine check, registry value and other process checks.

If the any one of the checks fails the downloader will end its own process and stop any other malicious process.

According to  kaspersky,The downloader installs a root certificate that’s stored in its resources. All downloaded malicious executables are signed with this certificate. We have found fake certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated.

Before installing the certificate the downloader drops the necessary files from the resources to the %TEMP% directory.

Malware Decision Taking

Based on the presence of %AppData%\Bitcoin folder, malware will take the decision to download the cryptor or miner.

If the folder exists then downloader will decide to download cryptor else miner will be downloaded based on the two logical processors.

Cryptor process of performing an operation to encrypt the victim’s files using the downloader dropped crypto module.

The cryptor only starts working if the system has been idle for at least two minutes. Before encrypting files, the cryptor terminate the many processes from the infected system.

Finally, it encrypts the following file extension and changes all the file extension as  .neitrino

“.ebd”, “.jbc”, “.pst”, “.ost”, “.tib”, “.tbk”, “.bak”, “.bac”, “.abk”, “.as4”, “.asd”, “.ashbak”, “.backup”, “.bck”, “.bdb”, “.bk1”, “.bkc”, “.bkf”, “.bkp”, “.boe”, “.bpa”, “.bpd”, “.bup”, “.cmb”, “.fbf”, “.fbw”, “.fh”, “.ful”, “.gho”, “.ipd”, “.nb7”, “.nba”, “.nbd”, “.nbf”, “.nbi”, “.nbu”, “.nco”, “.oeb”, “.old”, “.qic”, “.sn1”, “.sn2”, “.sna”, “.spi”, “.stg”, “.uci”, “.win”, “.xbk”, “.iso”, “.htm”, “.html”, “.mht”, “.p7”, “.p7c”, “.pem”, “.sgn”, “.sec”, “.cer”, “.csr”, “.djvu”, “.der”, “.stl”, “.crt”, “.p7b”, “.pfx”, “.fb”, “.fb2”, “.tif”, “.tiff”, “.pdf”, “.doc”, “.docx”, “.docm”, “.rtf”, “.xls”, “.xlsx”, “.xlsm”, “.ppt”, “.pptx”, “.ppsx”, “.txt”, “.cdr”, “.jpe”, “.jpg”, “.jpeg”, “.png”, “.bmp”, “.jiff”, “.jpf”, “.ply”, “.pov”, “.raw”, “.cf”, “.cfn”, “.tbn”, “.xcf”, “.xof”, “.key”, “.eml”, “.tbb”, “.dwf”, “.egg”, “.fc2”, “.fcz”, “.fg”, “.fp3”, “.pab”, “.oab”, “.psd”, “.psb”, “.pcx”, “.dwg”, “.dws”, “.dxe”, “.zip”, “.zipx”, “.7z”, “.rar”, “.rev”, “.afp”, “.bfa”, “.bpk”, “.bsk”, “.enc”, “.rzk”, “.rzx”, “.sef”, “.shy”, “.snk”, “.accdb”, “.ldf”, “.accdc”, “.adp”, “.dbc”, “.dbx”, “.dbf”, “.dbt”, “.dxl”, “.edb”, “.eql”, “.mdb”, “.mxl”, “.mdf”, “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.kdb”, “.kdbx”, “.1cd”, “.dt”, “.erf”, “.lgp”, “.md”, “.epf”, “.efb”, “.eis”, “.efn”, “.emd”, “.emr”, “.end”, “.eog”, “.erb”, “.ebn”, “.ebb”, “.prefab”, “.jif”, “.wor”, “.csv”, “.msg”, “.msf”, “.kwm”, “.pwm”, “.ai”, “.eps”, “.abd”, “.repx”, “.oxps”, “.dot”.

Files are encrypted using an RSA-1024 encryption algorithm. The information necessary to decrypt the files is sent to the attacker by email.

“Next Miner division will perform by generating a VBS script that will be launched after an OS reboot. The script has the name Check_Updates.vbs. This script contains two commands for mining. “

  • the first command will start a process to mine the cryptocurrency Monero;
  • the second command will start a process to mine the cryptocurrency Monero Original.

Also Read

Satan Ransomware re-emerge & Attack Using EternalBlue Exploit to Compromise Windows PC

New Version of SamSam Ransomware Attack Targeted Victims with Sophisticated Evasion Techniques

Massive Sigma Ransomware Attack From Russia-Based IPs and Lock the Victims Computers

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Manipulate Search Results to Lure Users to Malicious Websites

Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate...

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as...

Dangling DNS Attack Allows Hackers to Take Over Organization’s Subdomain

Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains,...

HelloKitty Ransomware Returns, Launching Attacks on Windows, Linux, and ESXi Environments

Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

HelloKitty Ransomware Returns, Launching Attacks on Windows, Linux, and ESXi Environments

Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty...

RansomHub Ransomware Group Hits 84 Organizations as New Threat Actors Emerge

The RansomHub ransomware group has emerged as a significant danger, targeting a wide array...

Sensata Technologies Breached: Ransomware Attack Key Systems

Sensata Technologies Holding PLC, a global leader in sensor solutions and electrical protection, is...