Rakhni Malware Selects Alternate Payload If it Finds Bitcoin Wallets on a Victim Machine

Rakhni is one of the oldest ransomware strains affecting devices. Partly this is due to it self-updating with the latest patches. The creators of the malware have added the cryptocurrency mining component lately which only deploys on selected PCs.

The ransomware has been in the wild since 2013  and remained alive by keeping a low profile. The security experts at Kaspersky Labs have found a new variant of Rakhni which allows scanning of the user’s machine before actually infecting the computer with a crypto miner using a remote server. If the malware finds a folder named Bitcoin it executes a component on the PC which will encrypt the private key of the Bitcoin wallet in the user’s PC.

If the malware doesn’t find the Bitcoin folder it will then deploy a Cryptocurrency miner from the remote server and install it so the PC affected can mine the cryptocurrency. The report from Kaspersky also said the miner is mining Monero, Monero Original and Dashcoin.

The new version of Rakhni is being distributed via spam Emails with the infection spreading fast in Russia, Kazakhstan, Ukraine, Germany and India.

The spam email from the authors contains a malicious file of Word DOCX and when the DOCX is opened it references it to a PDF file which will execute upon clicking the link.

 

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients