New virus alert. Like genetics, computing also mutates and evolves its capabilities. In this case, fraudulent capabilities. A new variant of the Rakhni ransomware (full name 'Trojan-Ransom.Win32.Rakhni') – known since 2013 – has been identified by Kaspersky Lab researchers, who warn about its new functionality: cryptocurrency mining. That is, the malware decides, based on the characteristics of the affected PC, "whether to activate the file encryption feature, typical of ransomware (viruses that then demand a ransom to be deactivated, ed.) or the one for mining various types of cryptocurrencies." Essentially, whether to steal any Bitcoins present on the computer.
This malware, warn the experts of the CERT – Computer Emergency Response Team, “is distributed mainly through spam email campaigns with malicious attachments”, “mostly in Russian” and with “an attached Microsoft Word file (.docx extension) which in turn contains what appears to be an embedded PDF document. If the victim carelessly double-clicks on the document icon – they read – instead of opening a PDF file, it launches a malicious executable disguised as an Adobe product with the aim of tricking the user into granting permission for its execution”.
WHERE – According to Kaspersky, the most affected country is Russia (95,57%) “followed by Kazakhstan (1,36%), Ukraine (0,57%), Germany (0,49%) and India (0,41%). Other European countries, including Italy, are involved to an even lesser extent”.
HOW – “The Trojan decides whether to download the ransomware or the miner depending on whether the %AppData%\Bitcoin folder is present on the system or not”. If it exists, “the encryption module is downloaded. If the folder does not exist and the machine is equipped with a processor with at least two logical cores, the mining module is downloaded”. If neither of the two circumstances occurs, “the worm functionality is activated: the Trojan attempts to copy itself to all accessible computers on the local network with the shared Users directory”.
ANTIVIRUS – After “checking for the presence of running processes related to antivirus products”, if no antivirus is found in the system, “the Trojan executes a series of commands to disable Windows Defender”. Commands that “send emails to an address encoded within them. These messages contain various statistics on the infection and a series of information including: computer name; IP address of the victim; path of the malware on the system; current date and time; date of creation of the malware”. In any case, experts recall, “the ability of the most popular antiviruses to detect this variant of Rakhni is very high”.
EDITORIAL TEAM
Choose the social channel you want to subscribe to