Notorious Ransomware Rakhni has reinforced its software to infiltrate the victim's computers with illicit cryptojacking malware.
Just last week Kaspersky Lab products had detected new malicious samples related to the infamous Trojan family Trojan-Ransom.Win32.Rakhni. The main feature of the malware is that it can choose how to infect its victims – either with a cryptor or with a miner.
While the exact reasons for this specific search strategy are unclear, it can be speculated that Bitcoin users place all Bitcoin-related data in a readily accessible folder, of which Rakhni seeks to take advantage.
The updated Rakhni version is distributed via spam emails. There have been reported instances of Rakhni infections in Russia, Kazakhstan, Ukraine, Germany, and India. It is suspected that the system is using geo-targeting tools for email delivery.
The malware verifies the existence of the “%AppData%\Bitcoin” directory, which can be indicative of the local storage of bitcoin-wallets. This, according to Kaspersky Lab researchers, prompts the assumption that victims will willingly pay to get their files back, so the Trojan encrypts the files with a cryptor.
Orkhan Mamedov, Malware Analyst at Kaspersky Lab said:
“The fact that the malware can decide which payload it uses to infect the victim provides yet another example of the opportunistic tactics used by cybercriminals. They will always try to benefit from their victims: either by directly extorting money (cryptor), by the unauthorized use of user's resources for their own needs (miner), or by exploiting the victim in the chain of malware distribution (net-worm).”
The first instance of crypto jacking arrest has been reported. A man deploying the infamous Coinhive software, a cryptocurrency miner that has gained notoriety in recent times, was arrested in Japan on July 5, 2018, after authorities identified his IP address in connection with several cryptojacking instances. Police authorities did not reveal insightful details about the crime, such as nature of operation or delivery methods, but stated he earned a paltry amount of 5,000 Yen ($45) for his efforts.
It primarily targets companies rather than ordinary users and is mainly spread throughout Russia (95.57%). It also has a presence in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%). Over the past year alone, more than 8,000 users have been attacked by Trojan-Downloader.Win32.Rakhni Trojans.