Ransomware or Cryptominer? Rakhni can choose | Summary and Q&A

TL;DR

A new variant of Rachni malware has emerged, infecting systems primarily through spam campaigns and choosing between ransomware and crypto mining depending on the system.

Key Insights

• 👶 The new Rachni variant targets specific countries, with Russia, Kazakhstan, Ukraine, Germany, and India being the most affected.
• 👤 The malware is distributed through spam campaigns, luring users with fake documents.
• 🎰 The malware employs extensive anti-virtual machine techniques, making analysis challenging.
• ⚾ The malware chooses between ransomware and crypto mining based on the system's number of logical processors.
• ❓ Fake certificates are used by the malware to appear legitimate.
• ✅ The malware checks for and disables antivirus processes.
• 📁 The ransomware variant encrypts files and demands payment in Bitcoin.

Transcript

a new rachni variant has surfaced that now chooses whether to mine or to ransom depending on your system so this is ransomware and crypto minor two and one double the trouble let's first talk about how this malware is distributed and which countries are affected mostly this is really nice in depo strum Kaspersky it kind of covers everything first o... Read More

Questions & Answers

Q: How is the new Rachni variant distributed and which countries are most affected?

The malware is distributed through spam campaigns, tricking users into opening fake documents. The countries most affected by the malware are Russia, Kazakhstan, Ukraine, Germany, and India.

Q: How does the malware evade analysis on virtual machines?

The malware has a comprehensive set of checks to detect virtual machines, including process names, machine names, and virtual machine tools. If any of these are found, the malware terminates without deploying the payload.

Q: What does the malware do once it successfully infects a system?

Depending on the system's configuration, the malware decides whether to install a ransomware variant or a crypto miner. It installs a fake certificate and encrypts files in the case of ransomware, or runs as a disguised process for crypto mining.

Q: How does the malware spread to other computers on the network?

The malware has a worm component that allows it to spread to other computers on the local network, increasing its reach and potential for income generation.

Summary & Key Takeaways

• The new Rachni variant primarily targets countries like Russia, Kazakhstan, Ukraine, Germany, and India, while the impact on the United States is relatively lower.

• The malware is distributed through spam campaigns, disguising itself as fake documents and Adobe Reader plugins.

• The malware has strong anti-virtual machine capabilities, making it difficult for analysis, and it checks for various processes, machine names, and virtual machine tools to avoid execution.