Security researchers have discovered a new piece of malware that infects victims systems with either a cryptocurrency miner or ransomware, depending on which scheme is more profitable for the attackers.
While ransomware is a type of malware that works by locking a victim’s computer and preventing the user from access encrypted data until a ransom payment is made, cryptocurrency miners utilize infected system’s CPU power to mine digital currencies. Ransomware and cryptocurrency mining based attacks are the top threats so far this year and are similar in the sense that they are non-sophisticated, are carried out for money against non-targeted users, and both involve digital currency.
Not all victims of a ransomware attack pay the ransom though. That’s why in recent months, cybercriminals have shifted away from ransomware attacks and are moving towards fraudulent cryptocurrency mining as a method of extracting money using victims’ computers.
Researchers recently discovered a new variant of the Rakhni ransomware family that includes cryptocurrency mining capabilities. The malware spreads through spear-phishing emails with an MS Word file included in the attachments, promoting the victim to save the document and enable editing if the attachment is opened. The document includes a PDF icon, which if clicked, launches a malicious executable on the victims' computer and promptly displays a fake error message upon execution, misleading victims into thinking that a system file required to open the document is missing.
In the background, the malware performs several anti-VM and anti-sandbox checks to decide which attack vector to deploy. The attacker install ransomware if the target system has a ‘Bitcoin’ folder in the AppData section. Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note through a text file.
The attacker installs the cryptocurrency miner if the ‘Bitcoin’ folder does not exist and the machine has more than two logical processors. If the system gets infected with a cryptocurrency miner, it uses MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background. The malware also uses CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process.
If there’s no ‘Bitcoin’ folder and only one logical processor, the attackers active a worm component that allows the malware to copy itself to all the computers located in the local network using shared resources.
Regardless of which infection is chosen, the malware conducts a check if one of the listed antivirus processes is launched. If not process is found in the system then the malware will run various cmd commands in hopes to disable Windows Defender.
Right now, the malware variant is targeting users primarily in Russia (95.5%), with a very small fraction of attacks spotted in Kazakhstan (1.36%), Ukraine (.57%), Germany (.49%) and India (.41%).
The most obvious way to avoid falling victim to such an attack is to refrain from opening suspicious files and links provided in an email, but humans are naturally curious and often times ignore this rule. For these instances, NNT suggests implementing least-privilege administrative rules, making sure you’re performing regular backups and keeping systems and programs updated. In addition, hardening the workstation environment is a great way to prevent malware activity where possible and put more obstacles in the way when not. This combined with File Integrity Monitoring will provide automated reports to establish where vulnerabilities exist, remediation advice, or even better, Group Policy templates to automatically apply a hardened configuration to workstations and their applications.