Kaspersky Lab products have detected new malicious samples related to the infamous Trojan family Trojan-Ransom.Win32.Rakhni. The main feature of the malware is that it can choose how to infect its victims – either with a cryptor or with a miner. According to our researchers, the malware primarily targets companies rather than ordinary users, and is mainly spread throughout Russia (95.57%). It also has a presence in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%). Over the past year alone, more than 8,000 users have been attacked by Trojan-Downloader.Win32.Rakhni Trojans.
The distribution of the malware is implemented through spam emails with document attachments containing a malicious executable. When the file is opened, the malicious executable is launched. It is at this moment that the Trojan decides which payload should be downloaded onto the victim’s PC.
The malware verifies the existence of the “%AppData%\Bitcoin” directory, which can be indicative of the local storage of bitcoin-wallets. This, according to Kaspersky Lab researchers, prompts the assumption that victims will willingly pay to get their files back, so the Trojan encrypts the files with a cryptor. This guarantees the attacker a quick profit. Otherwise, criminals will try to “earn” money from the victim without him or her noticing by running a miner – provided that the PC has sufficient capacity for resource-intensive mining tasks.
It is interesting to note that the Trojan can also decide to ignore the infected machine completely and download neither a cryptor, nor a miner. However, this doesn’t let the victim off the hook, as the network worm functionality will still be launched – i.e. the Trojan will attempt to distribute copies to all available computers on the victim’s local network.
“The fact that the malware can decide which payload it uses to infect the victim provides yet another example of the opportunistic tactics used by cybercriminals. They will always try to benefit from their victims: either by directly extorting money (cryptor), by the unauthorized use of user resources for their own needs (miner), or by exploiting the victim in the chain of malware distribution (net-worm),” – says Orkhan Mamedov, Malware Analyst, Kaspersky Lab.
Kaspersky Lab products detect the described malware with the following verdicts: