A newly discovered malicious PDF sample distributing Rakhni ransomware family and hackers now added new crypto-mining capabilities to infect victims to perform both operations based on the targeted system power.

Rakhni Ransomware family active since 2013 and malware authors now added some now future with mining capabilities.

This multi-purpose malware maintains targeting Russia(95.57%) and other Asian Pacific region including Kazakhstan, Ukraine, Germany, India.

Malware authors added many futures in newly evolved version such as change the method to get the Trojan key, algorithm, crypto-libraries and distribution method.


Malware Infection Process

Attackers mainly distributing this malware through spam email campaign that contains an attached document.

Once the target victims open the attachment then it promotes to enable editing and save the document.

Attached word document contains embedded PDF file, once victims double click the file then it launches a malicious executable.

Later it drops the downloader that written in Delphi language and all strings inside the malware are encrypted.

After the execution process, it displays the fake message box with an error text which is an explanation for why the PDF is not open after the double click.

Also, the attacker creates a fake digital signature that uses the name Adobe Systems Incorporated and the downloader sends the HTTP request to adobe system before installing the payload.

Once them message box gets closed then it checks the various within the infected machine such as running process, computer name, virtual machine check, registry value and other process checks.

If the any one of the checks fails the downloader will end its own process and stop any other malicious process.

According to  kaspersky,The downloader installs a root certificate that’s stored in its resources. All downloaded malicious executables are signed with this certificate. We have found fake certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated.

Before installing the certificate the downloader drops the necessary files from the resources to the %TEMP% directory.

Malware Decision Taking

Based on the presence of %AppData%\Bitcoin folder, malware will take the decision to download the cryptor or miner.

If the folder exists then downloader will decide to download cryptor else miner will be downloaded based on the two logical processors.

Cryptor process of performing an operation to encrypt the victim’s files using the downloader dropped crypto module.

The cryptor only starts working if the system has been idle for at least two minutes. Before encrypting files, the cryptor terminate the many processes from the infected system.

Finally, it encrypts the following file extension and changes all the file extension as  .neitrino

“.ebd”, “.jbc”, “.pst”, “.ost”, “.tib”, “.tbk”, “.bak”, “.bac”, “.abk”, “.as4”, “.asd”, “.ashbak”, “.backup”, “.bck”, “.bdb”, “.bk1”, “.bkc”, “.bkf”, “.bkp”, “.boe”, “.bpa”, “.bpd”, “.bup”, “.cmb”, “.fbf”, “.fbw”, “.fh”, “.ful”, “.gho”, “.ipd”, “.nb7”, “.nba”, “.nbd”, “.nbf”, “.nbi”, “.nbu”, “.nco”, “.oeb”, “.old”, “.qic”, “.sn1”, “.sn2”, “.sna”, “.spi”, “.stg”, “.uci”, “.win”, “.xbk”, “.iso”, “.htm”, “.html”, “.mht”, “.p7”, “.p7c”, “.pem”, “.sgn”, “.sec”, “.cer”, “.csr”, “.djvu”, “.der”, “.stl”, “.crt”, “.p7b”, “.pfx”, “.fb”, “.fb2”, “.tif”, “.tiff”, “.pdf”, “.doc”, “.docx”, “.docm”, “.rtf”, “.xls”, “.xlsx”, “.xlsm”, “.ppt”, “.pptx”, “.ppsx”, “.txt”, “.cdr”, “.jpe”, “.jpg”, “.jpeg”, “.png”, “.bmp”, “.jiff”, “.jpf”, “.ply”, “.pov”, “.raw”, “.cf”, “.cfn”, “.tbn”, “.xcf”, “.xof”, “.key”, “.eml”, “.tbb”, “.dwf”, “.egg”, “.fc2”, “.fcz”, “.fg”, “.fp3”, “.pab”, “.oab”, “.psd”, “.psb”, “.pcx”, “.dwg”, “.dws”, “.dxe”, “.zip”, “.zipx”, “.7z”, “.rar”, “.rev”, “.afp”, “.bfa”, “.bpk”, “.bsk”, “.enc”, “.rzk”, “.rzx”, “.sef”, “.shy”, “.snk”, “.accdb”, “.ldf”, “.accdc”, “.adp”, “.dbc”, “.dbx”, “.dbf”, “.dbt”, “.dxl”, “.edb”, “.eql”, “.mdb”, “.mxl”, “.mdf”, “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.kdb”, “.kdbx”, “.1cd”, “.dt”, “.erf”, “.lgp”, “.md”, “.epf”, “.efb”, “.eis”, “.efn”, “.emd”, “.emr”, “.end”, “.eog”, “.erb”, “.ebn”, “.ebb”, “.prefab”, “.jif”, “.wor”, “.csv”, “.msg”, “.msf”, “.kwm”, “.pwm”, “.ai”, “.eps”, “.abd”, “.repx”, “.oxps”, “.dot”.

Files are encrypted using an RSA-1024 encryption algorithm. The information necessary to decrypt the files is sent to the attacker by email.

“Next Miner division will perform by generating a VBS script that will be launched after an OS reboot. The script has the name Check_Updates.vbs. This script contains two commands for mining. “

  • the first command will start a process to mine the cryptocurrency Monero;
  • the second command will start a process to mine the cryptocurrency Monero Original.

Also Read

Satan Ransomware re-emerge & Attack Using EternalBlue Exploit to Compromise Windows PC

New Version of SamSam Ransomware Attack Targeted Victims with Sophisticated Evasion Techniques

Massive Sigma Ransomware Attack From Russia-Based IPs and Lock the Victims Computers

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here