Categories: Ransomware

Hackers Distributing Malicious PDF that Perform both Ransomware and Crypto-Mining Attack

A newly discovered malicious PDF sample distributing Rakhni ransomware family and hackers now added new crypto-mining capabilities to infect victims to perform both operations based on the targeted system power.

Rakhni Ransomware family active since 2013 and malware authors now added some now future with mining capabilities.

This multi-purpose malware maintains targeting Russia(95.57%) and other Asian Pacific region including Kazakhstan, Ukraine, Germany, India.

Malware authors added many futures in newly evolved version such as change the method to get the Trojan key, algorithm, crypto-libraries and distribution method.

Malware Infection Process

Attackers mainly distributing this malware through spam email campaign that contains an attached document.

Once the target victims open the attachment then it promotes to enable editing and save the document.

Attached word document contains embedded PDF file, once victims double click the file then it launches a malicious executable.

Later it drops the downloader that written in Delphi language and all strings inside the malware are encrypted.

After the execution process, it displays the fake message box with an error text which is an explanation for why the PDF is not open after the double click.

Also, the attacker creates a fake digital signature that uses the name Adobe Systems Incorporated and the downloader sends the HTTP request to adobe system before installing the payload.

Once them message box gets closed then it checks the various within the infected machine such as running process, computer name, virtual machine check, registry value and other process checks.

If the any one of the checks fails the downloader will end its own process and stop any other malicious process.

According to  kaspersky,The downloader installs a root certificate that’s stored in its resources. All downloaded malicious executables are signed with this certificate. We have found fake certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated.

Before installing the certificate the downloader drops the necessary files from the resources to the %TEMP% directory.

Malware Decision Taking

Based on the presence of %AppData%\Bitcoin folder, malware will take the decision to download the cryptor or miner.

If the folder exists then downloader will decide to download cryptor else miner will be downloaded based on the two logical processors.

Cryptor process of performing an operation to encrypt the victim’s files using the downloader dropped crypto module.

The cryptor only starts working if the system has been idle for at least two minutes. Before encrypting files, the cryptor terminate the many processes from the infected system.

Finally, it encrypts the following file extension and changes all the file extension as  .neitrino

“.ebd”, “.jbc”, “.pst”, “.ost”, “.tib”, “.tbk”, “.bak”, “.bac”, “.abk”, “.as4”, “.asd”, “.ashbak”, “.backup”, “.bck”, “.bdb”, “.bk1”, “.bkc”, “.bkf”, “.bkp”, “.boe”, “.bpa”, “.bpd”, “.bup”, “.cmb”, “.fbf”, “.fbw”, “.fh”, “.ful”, “.gho”, “.ipd”, “.nb7”, “.nba”, “.nbd”, “.nbf”, “.nbi”, “.nbu”, “.nco”, “.oeb”, “.old”, “.qic”, “.sn1”, “.sn2”, “.sna”, “.spi”, “.stg”, “.uci”, “.win”, “.xbk”, “.iso”, “.htm”, “.html”, “.mht”, “.p7”, “.p7c”, “.pem”, “.sgn”, “.sec”, “.cer”, “.csr”, “.djvu”, “.der”, “.stl”, “.crt”, “.p7b”, “.pfx”, “.fb”, “.fb2”, “.tif”, “.tiff”, “.pdf”, “.doc”, “.docx”, “.docm”, “.rtf”, “.xls”, “.xlsx”, “.xlsm”, “.ppt”, “.pptx”, “.ppsx”, “.txt”, “.cdr”, “.jpe”, “.jpg”, “.jpeg”, “.png”, “.bmp”, “.jiff”, “.jpf”, “.ply”, “.pov”, “.raw”, “.cf”, “.cfn”, “.tbn”, “.xcf”, “.xof”, “.key”, “.eml”, “.tbb”, “.dwf”, “.egg”, “.fc2”, “.fcz”, “.fg”, “.fp3”, “.pab”, “.oab”, “.psd”, “.psb”, “.pcx”, “.dwg”, “.dws”, “.dxe”, “.zip”, “.zipx”, “.7z”, “.rar”, “.rev”, “.afp”, “.bfa”, “.bpk”, “.bsk”, “.enc”, “.rzk”, “.rzx”, “.sef”, “.shy”, “.snk”, “.accdb”, “.ldf”, “.accdc”, “.adp”, “.dbc”, “.dbx”, “.dbf”, “.dbt”, “.dxl”, “.edb”, “.eql”, “.mdb”, “.mxl”, “.mdf”, “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.kdb”, “.kdbx”, “.1cd”, “.dt”, “.erf”, “.lgp”, “.md”, “.epf”, “.efb”, “.eis”, “.efn”, “.emd”, “.emr”, “.end”, “.eog”, “.erb”, “.ebn”, “.ebb”, “.prefab”, “.jif”, “.wor”, “.csv”, “.msg”, “.msf”, “.kwm”, “.pwm”, “.ai”, “.eps”, “.abd”, “.repx”, “.oxps”, “.dot”.

Files are encrypted using an RSA-1024 encryption algorithm. The information necessary to decrypt the files is sent to the attacker by email.

“Next Miner division will perform by generating a VBS script that will be launched after an OS reboot. The script has the name Check_Updates.vbs. This script contains two commands for mining. “

  • the first command will start a process to mine the cryptocurrency Monero;
  • the second command will start a process to mine the cryptocurrency Monero Original.

Also Read

Satan Ransomware re-emerge & Attack Using EternalBlue Exploit to Compromise Windows PC

New Version of SamSam Ransomware Attack Targeted Victims with Sophisticated Evasion Techniques

Massive Sigma Ransomware Attack From Russia-Based IPs and Lock the Victims Computers

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

2 days ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

2 days ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

2 days ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

2 days ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

3 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

3 days ago