Recent findings from security researchers have unveiled a novel malware strain capable of infecting systems with either a cryptocurrency miner or ransomware, depending on configuration settings that dictate the most profitable scheme. This dual-functionality indicates a strategic evolution in cybercriminal tactics, aiming to optimize revenue generation through diverse exploitation methods.
Ransomware operates by locking users out of their data until a ransom is paid for a decryption key, effectively crippling access to essential information. In contrast, cryptocurrency miners harness the processing power of an infected system to generate digital currency. Both types of attacks have emerged as significant cybersecurity threats this year, characterized by relatively unsophisticated methods that target a broad audience indiscriminately while capitalizing on digital currencies.
As the effectiveness of traditional ransomware tactics diminishes—particularly when potential victims lack valuable files for ransom—cybercriminals have increasingly gravitated toward illicit cryptocurrency mining. Security analysts at Kaspersky Labs recently identified an upgraded variant of the Rakhni ransomware family, which has incorporated cryptocurrency mining capabilities.
The Rakhni malware, written in Delphi, propagates via spear-phishing emails containing malicious Microsoft Word attachments. When victims open the document, they are encouraged to enable editing, which unwittingly activates the malware. The document features a PDF icon that, once clicked, executes a harmful file while simultaneously displaying a deceptive error message to mislead the user.
Operating clandestinely, the malware undergoes a series of anti-virtual machine and anti-sandbox checks to confirm it can infiltrate the system without detection. If conditions are favorable, it proceeds to determine its final payload—either ransomware or a miner—through additional evaluations.
The first scenario activates the ransomware if a ‘Bitcoin’ folder exists in the AppData section. Upon infiltrating the system, the malware encrypts files using RSA-1024 encryption and terminates processes related to widely-used applications before leaving a ransom note.
Conversely, in the absence of the ‘Bitcoin’ folder and with more than two logical processors present, the malware installs a cryptocurrency miner, leveraging the MinerGate utility to mine Monero (XMR), Monero Original (XMO), and Dashcoin (DSH) cryptocurrencies in the background. Additionally, it may install counterfeit root certificates to masquerade as a trusted application.
If the target machine has only one logical processor and no ‘Bitcoin’ directory, the malware activates a worm component, which enables it to propagate across local networks. This feature allows it to replicate itself to all accessible computers using shared resources.
Regardless of the infection type, the malware checks for running antivirus processes. If none are detected, it attempts to disable Windows Defender using a series of command-line operations.
Moreover, the malware exhibits spyware functionalities, collecting information on running processes and capturing screenshots. Currently, the primary targets for this malware variant are located predominantly in Russia, with minor infections reported in Kazakhstan, Ukraine, Germany, and India.
To mitigate such threats, users are advised to exercise caution when opening unsolicited files or links in emails. Implementing regular data backups and maintaining updated antivirus solutions are essential practices for safeguarding against potential infections.
The emergence of this bimodal approach to ransomware and cryptocurrency mining illustrates evolving strategies in cybercrime. Understanding the tactics employed—such as initial access, execution, and persistence highlighted by the MITRE ATT&CK framework—can empower organizations to enhance their cybersecurity defenses against these multifaceted attacks.
