New Rakhni ‘malner’ decides whether to encrypt files or secretly mine cryptocurrency

Cybercriminals are known to constantly upgrade their malware with new capabilities and components that help them make money without getting caught. However,malware authors are now creating new super variants of malware that come with multiple malicious functionalities.

Security researchers have discovered one such instance in a new type of malware dubbed “malner” by its developers.

According to security researchers at Kaspersky Lab, malner is likely a combination of the terms malware and miner. The researchers discovered a new malware variant that belongs to Rakhni - malware family that has been active since 2013 and has since undergone several changes.

To encrypt or to mine

According to Kaspersky Lab researchers, the newly discovered Rakhni malware first scans an infected system for the presence of a Bitcoin folder before deciding whether to download a cryptor or a miner.

“If the folder exists, the downloader decides to download the cryptor,” Kaspersky Lab researchers said in a blog. “If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component, which is described below in the corresponding part of the article.”

The cryptor only launches after the system has been idle for at least two minutes and encrypts using an RSA-1024 encryption algorithm.

On the other hand, the miner, after it is downloaded, launches a VBS script to be launched after an OS reboot. The VBS script in turn contains commands, which enable the malware to mine for Monero.

Regardless of whether it downloads a cryptor or a miner, the malware collects a trove of information about the targeted system, including computer name, IP address and more. Rakhni also possess worm capabilities and is able to propagate across all the computers in a targeted network.

“Before shutting down the malware creates a batch file that deletes all ‘temporary’ files created during the infection process. This is a common practice for malware,” the researchers said.

This is yet another way that the malware developers attempted to ensure that the malware is safe from detection.

Rakhni’s evolution and MO

Over the years, Rakhni’s TTPs have significantly evolved. While the trojan keys were previously locally generated, the keys are now received from the C2 server. Similarly, the malware went from using only a symmetric algorithm to using 18 symmetric algorithms simultaneously and using remote execution instead of spam for distribution purposes. The most recent change made the malware is the addition of mining capabilities.

Kaspersky Lab researchers said Russia, Ukraine, Kazakhstan, Germany and India are the top 5 nations targeted by the malware so far. The malware is currently being distributed via spam.

“After opening the email attachment, the victim is prompted to save the document and enable editing.The victim is expected to double-click on the embedded PDF file. But instead of opening a PDF the victim launches a malicious executable,” researchers said.

The malware authors designed the malware to look similar to Adobe products to hide its malicious activities from the victim. The malware also checks the targeted system’s IP address and whether the system is running any security products from companies such as AHN Labs, FireEye, Fortinet and more.

New cross-breed malware

The newly discovered Rakhni malware also serves as the latest example of cybercriminals updating their malicious creations by combining multiple nefarious capabilities.

Yet another example of such a cross-breed malware is MysteryBot. The Android malware is a triple threat, comprising of keylogger, ransomware and banking trojan features. The emergence of such multipurpose malware strains likely heralds a new era of malware threats.