Sunday, September 8, 2024
HomeRansomwareHackers Distributing Malicious PDF that Perform both Ransomware and Crypto-Mining Attack

Hackers Distributing Malicious PDF that Perform both Ransomware and Crypto-Mining Attack

Published on

A newly discovered malicious PDF sample distributing Rakhni ransomware family and hackers now added new crypto-mining capabilities to infect victims to perform both operations based on the targeted system power.

Rakhni Ransomware family active since 2013 and malware authors now added some now future with mining capabilities.

This multi-purpose malware maintains targeting Russia(95.57%) and other Asian Pacific region including Kazakhstan, Ukraine, Germany, India.

- Advertisement - EHA

Malware authors added many futures in newly evolved version such as change the method to get the Trojan key, algorithm, crypto-libraries and distribution method.

Malware Infection Process

Attackers mainly distributing this malware through spam email campaign that contains an attached document.

Once the target victims open the attachment then it promotes to enable editing and save the document.

Attached word document contains embedded PDF file, once victims double click the file then it launches a malicious executable.

Later it drops the downloader that written in Delphi language and all strings inside the malware are encrypted.

After the execution process, it displays the fake message box with an error text which is an explanation for why the PDF is not open after the double click.

Also, the attacker creates a fake digital signature that uses the name Adobe Systems Incorporated and the downloader sends the HTTP request to adobe system before installing the payload.

Once them message box gets closed then it checks the various within the infected machine such as running process, computer name, virtual machine check, registry value and other process checks.

If the any one of the checks fails the downloader will end its own process and stop any other malicious process.

According to  kaspersky,The downloader installs a root certificate that’s stored in its resources. All downloaded malicious executables are signed with this certificate. We have found fake certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated.

Before installing the certificate the downloader drops the necessary files from the resources to the %TEMP% directory.

Malware Decision Taking

Based on the presence of %AppData%\Bitcoin folder, malware will take the decision to download the cryptor or miner.

If the folder exists then downloader will decide to download cryptor else miner will be downloaded based on the two logical processors.

Cryptor process of performing an operation to encrypt the victim’s files using the downloader dropped crypto module.

The cryptor only starts working if the system has been idle for at least two minutes. Before encrypting files, the cryptor terminate the many processes from the infected system.

Finally, it encrypts the following file extension and changes all the file extension as  .neitrino

“.ebd”, “.jbc”, “.pst”, “.ost”, “.tib”, “.tbk”, “.bak”, “.bac”, “.abk”, “.as4”, “.asd”, “.ashbak”, “.backup”, “.bck”, “.bdb”, “.bk1”, “.bkc”, “.bkf”, “.bkp”, “.boe”, “.bpa”, “.bpd”, “.bup”, “.cmb”, “.fbf”, “.fbw”, “.fh”, “.ful”, “.gho”, “.ipd”, “.nb7”, “.nba”, “.nbd”, “.nbf”, “.nbi”, “.nbu”, “.nco”, “.oeb”, “.old”, “.qic”, “.sn1”, “.sn2”, “.sna”, “.spi”, “.stg”, “.uci”, “.win”, “.xbk”, “.iso”, “.htm”, “.html”, “.mht”, “.p7”, “.p7c”, “.pem”, “.sgn”, “.sec”, “.cer”, “.csr”, “.djvu”, “.der”, “.stl”, “.crt”, “.p7b”, “.pfx”, “.fb”, “.fb2”, “.tif”, “.tiff”, “.pdf”, “.doc”, “.docx”, “.docm”, “.rtf”, “.xls”, “.xlsx”, “.xlsm”, “.ppt”, “.pptx”, “.ppsx”, “.txt”, “.cdr”, “.jpe”, “.jpg”, “.jpeg”, “.png”, “.bmp”, “.jiff”, “.jpf”, “.ply”, “.pov”, “.raw”, “.cf”, “.cfn”, “.tbn”, “.xcf”, “.xof”, “.key”, “.eml”, “.tbb”, “.dwf”, “.egg”, “.fc2”, “.fcz”, “.fg”, “.fp3”, “.pab”, “.oab”, “.psd”, “.psb”, “.pcx”, “.dwg”, “.dws”, “.dxe”, “.zip”, “.zipx”, “.7z”, “.rar”, “.rev”, “.afp”, “.bfa”, “.bpk”, “.bsk”, “.enc”, “.rzk”, “.rzx”, “.sef”, “.shy”, “.snk”, “.accdb”, “.ldf”, “.accdc”, “.adp”, “.dbc”, “.dbx”, “.dbf”, “.dbt”, “.dxl”, “.edb”, “.eql”, “.mdb”, “.mxl”, “.mdf”, “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.kdb”, “.kdbx”, “.1cd”, “.dt”, “.erf”, “.lgp”, “.md”, “.epf”, “.efb”, “.eis”, “.efn”, “.emd”, “.emr”, “.end”, “.eog”, “.erb”, “.ebn”, “.ebb”, “.prefab”, “.jif”, “.wor”, “.csv”, “.msg”, “.msf”, “.kwm”, “.pwm”, “.ai”, “.eps”, “.abd”, “.repx”, “.oxps”, “.dot”.

Files are encrypted using an RSA-1024 encryption algorithm. The information necessary to decrypt the files is sent to the attacker by email.

“Next Miner division will perform by generating a VBS script that will be launched after an OS reboot. The script has the name Check_Updates.vbs. This script contains two commands for mining. “

  • the first command will start a process to mine the cryptocurrency Monero;
  • the second command will start a process to mine the cryptocurrency Monero Original.

Also Read

Satan Ransomware re-emerge & Attack Using EternalBlue Exploit to Compromise Windows PC

New Version of SamSam Ransomware Attack Targeted Victims with Sophisticated Evasion Techniques

Massive Sigma Ransomware Attack From Russia-Based IPs and Lock the Victims Computers

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Fog Ransomware Now Targeting the Financial Sector; Adlumin Thwarts Attack

The Fog Ransomware group, known for targeting education and recreation sectors, has expanded its...

Notorious Mallox Ransomware Evolved From Private Ransomware to RaaS

Mallox is a sophisticated ransomware that is known for its destructive capabilities and multi-extortion...

Head Mare Hacktivist Group Exploit WinRAR Vulnerability To Encrypt Windows And Linux

Head Mare, a Russian-focused hacktivist group, gained notoriety in 2023 by targeting organizations in...