Security researchers have discovered a new piece of malware that infects victims systems with either a cryptocurrency miner or ransomware, depending on which scheme is more profitable for the attackers.

While ransomware is a type of malware that works by locking a victim’s computer and preventing the user from access encrypted data until a ransom payment is made, cryptocurrency miners utilize infected system’s CPU power to mine digital currencies. Ransomware and cryptocurrency mining based attacks are the top threats so far this year and are similar in the sense that they are non-sophisticated, are carried out for money against non-targeted users, and both involve digital currency.

Not all victims of a ransomware attack pay the ransom though. That’s why in recent months, cybercriminals have shifted away from ransomware attacks and are moving towards fraudulent cryptocurrency mining as a method of extracting money using victims’ computers.  

Researchers recently discovered a new variant of the Rakhni ransomware family that includes cryptocurrency mining capabilities. The malware spreads through spear-phishing emails with an MS Word file included in the attachments, promoting the victim to save the document and enable editing if the attachment is opened. The document includes a PDF icon, which if clicked, launches a malicious executable on the victims' computer and promptly displays a fake error message upon execution, misleading victims into thinking that a system file required to open the document is missing.

In the background, the malware performs several anti-VM and anti-sandbox checks to decide which attack vector to deploy. The attacker install ransomware if the target system has a ‘Bitcoin’ folder in the AppData section. Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note through a text file.

The attacker installs the cryptocurrency miner if the ‘Bitcoin’ folder does not exist and the machine has more than two logical processors. If the system gets infected with a cryptocurrency miner, it uses MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background. The malware also uses CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process.

If there’s no ‘Bitcoin’ folder and only one logical processor, the attackers active a worm component that allows the malware to copy itself to all the computers located in the local network using shared resources.

Regardless of which infection is chosen, the malware conducts a check if one of the listed antivirus processes is launched. If not process is found in the system then the malware will run various cmd commands in hopes to disable Windows Defender.

Right now, the malware variant is targeting users primarily in Russia (95.5%), with a very small fraction of attacks spotted in Kazakhstan (1.36%), Ukraine (.57%), Germany (.49%) and India (.41%).

The most obvious way to avoid falling victim to such an attack is to refrain from opening suspicious files and links provided in an email, but humans are naturally curious and often times ignore this rule. For these instances, NNT suggests implementing least-privilege administrative rules, making sure you’re performing regular backups and keeping systems and programs updated. In addition, hardening the workstation environment is a great way to prevent malware activity where possible and put more obstacles in the way when not. This combined with File Integrity Monitoring will provide automated reports to establish where vulnerabilities exist, remediation advice, or even better, Group Policy templates to automatically apply a hardened configuration to workstations and their applications.



The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)

[email protected]

United Kingdom

5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023

 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2023, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.