New Virus Decides If Your Computer Good for Mining or Ransomware

[steven36]

Security researchers have discovered an interesting piece of malware that infects systems with either a cryptocurrency miner or ransomware, depending upon their configurations to decide which of the two schemes could be more profitable.

 

 

 

While ransomware is a type of malware that locks your computer and prevents you from accessing the encrypted data until you pay a ransom to get the decryption key required to decrypt your files, cryptocurrency miners utilize infected system's CPU power to mine digital currencies.

Both ransomware and cryptocurrency mining-based attacks have been the top threats so far this year and share many similarities such as both are non-sophisticated attacks, carried out for money against non-targeted users, and involve digital currency.

However, since locking a computer for ransom doesn't always guarantee a payback in case victims have nothing essential to losing, in past months cybercriminals have shifted more towards fraudulent cryptocurrency mining as a method of extracting money using victims' computers.

Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.

 

 

Written in Delphi programming language, the Rakhni malware is being spread using spear-phishing emails with an MS word file in the attachment, which if opened, prompts the victim to save the document and enable editing.

The document includes a PDF icon, which if clicked, launches a malicious executable on the victim's computer and immediately displays a fake error message box upon execution, tricking victims into thinking that a system file required to open the document is missing.
 

How Malware Decides What To Do

However, in the background, the malware then performs many anti-VM and anti-sandbox checks to decide if it could infect the system without being caught. If all conditions are met, the malware then performs more checks to decide the final infection payload, i.e., ransomware or miner.

1.) Installs Ransomware—if the target system has a 'Bitcoin' folder in the AppData section.

Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file.

2.) Installs cryptocurrency miner—if 'Bitcoin' folder doesn't exist and the machine has more than two logical processors.

If the system gets infected with a cryptocurrency miner, it uses MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background.

 

 

 

Besides this, the malware uses CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process.

3.) Activates worm component—if there's no 'Bitcoin' folder and just one logical processor.

This component helps the malware to copy itself to all the computers located in the local network using shared resources.
 

Quote

"For each computer listed in the file the Trojan checks if the folder Users is shared and, if so, the malware copies itself to the folder \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup of each accessible user," the researchers note.

 

Regardless of which infection is chosen, the malware performs a check if one of the listed antivirus processes is launched. If no AV process is found in the system, the malware will run several cmd commands in an attempt to disable Windows Defender.

 

 

What's more? There's A Spyware Feature As Well

Quote

"Another interesting fact is that the malware also has some spyware functionality – its messages include a list of running processes and an attachment with a screenshot," the researchers say.

 

This malware variant is targeting users primarily in Russia (95.5%), while a small number of infection has been noticed in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%) as well.

The best way to prevent yourself from being a victim of such attacks in the first place is never to open suspicious files and links provided in an email. Also, always keep a good backup routine and updated anti-virus software in place.

 

Source

[mclaren85]

Can all antiviruses catch this mining thing?

[steven36]

16 minutes ago, mclaren85 said:

Can all antiviruses catch this mining thing?

Most can find them and get rid of it as soon as they have the signatures, but i would not put much faith in malwarebytes  to remove them because i found a miner in the wild last week that poses as TrustedInstaller  and malwarebytes didn't even have the signature yet  and most all of the better antivirus did. If it was to install rasomware on you're computer the best thing is to have back up of all you're data i backup my stuff once a day to a external Hard drive  and then i unplug it .

 

But im not stupid enough to take the bait  for this kind of malware no way i dont use office at home and i dont click on word documents from unknown sources no matter what . Classic bait and switch the most common way for many years now is to give you something related too using office for many years now and common sense goes much further with these kind of infections than having to reformat or something.

[Archanus]

1 minute ago, steven36 said:

Most can find them and get rid of it as soon as they have the signatures but i would put much faith in malwarebytes  to remove them because i found a miner in the wild last week that poses as TrustedInstaller  and malwarebytes didn't even have the signature yet  and most all of the better antivirus did. If it was to install rasomware on you're computer the best thing is to have back up of all you're data i back my stuff once a day to a external Hard drive  and then i unplug it . But im not stupid enough to take the bait  for this kind of malware no way i dont use office at home and i dont click word documents from unknown sources no matter what . Classic bait and switch the most common way for many years now is to give you something related too using office for many years now and common sense goes much further with these kind of infections than having to reformat or something.

 

Not all the antiviruses have the Zero-Day Exploit Detection, for that reason they cannot always stop them  Only have good luck

[steven36]

Just now, Archanus said:

 

Not all the antiviruses have the Zero-Day Exploit Detection, for that reason they cannot always stop them  Only have good luck

Once its posted  in the news it's no longer a zeroday and if you don't want infected by a zeroday you must use  lots of conman sense and pray they not exploiting a app you use .

[Archanus]

1 minute ago, steven36 said:

Once its posted  in the news it's no longer a zeroday and if you don't want infected by a zeroday you must use  lots of conman sense and pray they not exploiting a app you use .

 

Exactly bro  !! Common Sense is our ally, and also praying to be protected  ... But users like "grandmothers/grandfathers" maybe can get trapped by those virus  

[steven36]

9 minutes ago, Archanus said:

 

Exactly bro  !! Common Sense is our ally, and also praying to be protected  ... But users like "grandmothers/grandfathers" maybe can get trapped by those virus  

No antivirus can detect a zeroday its unknown to everyone but the malware writer , And there is many none zerodays that's just as dangerous because software vendors may know about it for 90 days before they even fix them and the info gets posted. Sometimes they have went a year with them knowing about them without them being patched . Tell Microsoft patches this virus in windows it's very dangerous because it may disable Windows Defender so if you're not using some 3rd party Anti malware program you may  just be screwed.