Adapting To The Times: Malware Decides Infection, Profitability With Ransomware or Coinminer

Security researchers discovered a new feature of the Rakhni trojan (Detection name: TROJ_RAKHNI.F) that decides to install either a ransomware or cryptocurrency miners on an infected system depending on its configurations. It spreads via phishing, and infections have been observed in Russia, Kazakhstan, Ukraine, Germany, and India.

[Blog: Cryptocurrency-Mining Malware: 2018’s new menace?]

Known to have been around since 2013, Rakhni’s evolved form is delivered via email with an attached Word document and embedded PDF that the user is prompted to open for editing. Opening the .DOCX file runs the macros that infect the system and scans the computer, checking the environment for specific database substrings, registries, and antivirus and sandboxing processes. The Delphi-written executable then displays an error box explaining why the PDF failed to open. The authors disguised the malicious payload to look like legitimate products, with fake digital signatures of Adobe Systems Incorporated and Microsoft Corporation; it even sends an HTTP request to

[Read: Security 101: The impact of cryptocurrency-mining malware]

If the system has a cryptocurrency wallet installed, the malware infects the system with ransomware (Detection name: RANSOM_RAKHNI.A). However, if it does not find a wallet and detects that the system has more than two processors, it downloads a miner (Detection name: Coinminer_MALBTC.D-WIN32) and remotely exploits the systems’ resources. It uses Minergate and installs fake root certificates to mine for Monero, Monero Original or Dashcoin cryptocurrencies. The user will observe a noticeable slowdown as Rakhni terminates processes of known applications. The researchers also observed a worm component that allows it to copy itself to all computers found in the local network, as well as the ability to disable Windows Defender if the systems scan shows no antivirus installed and simultaneously infect the entire system with spyware.

[Read: Best Practices: Identifying and Mitigating Phishing Attacks]

The feature could be a way to maximize profits from victims, since not all ransomware victims pay the ransom after encryption. The presence of a bitcoin wallet could signify that the user is capable of paying the ransom and that the system holds valuable information that can be held hostage.

[Read: Arm your users with knowledge to spot phishing attacks – for free!]

People are still the most vulnerable links in protecting enterprise assets, and the need to be aware of cybercriminals’ techniques have become even more pressing. Make sure your systems are protected from this threat with these recommendations:

  • Beware of suspicious emails and attachments with sudden requests for personal information, urgency, and redundant requests pertaining to supplier, financial, administrative, HR and C-level functions. Directly contact the source via known channels, instead of directly clicking on the embedded links.
  • Update your devices with the latest patches from legitimate vendors.
  • Enable the systems’ firewall and keep your antivirus running to detect and prevent intrusion attempts.

Trend Micro™ Smart Protection Network™ features Endpoint Security for the broadest range of defense against the changing, advanced threat landscape. Trend Micro™ OfficeScan™ infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint. It constantly learns, adapts, and automatically shares threat intelligence across your environment. All of this modern threat security technology is made simple for your organization with central visibility, management, and reporting.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.