[ad_1]
A group of security researchers, discovered a malware that could be one of the most powerful so far, it is programmed to infect your computer not only with a mining malware, but also with a ransomware, and it will decide according to the configuration of your system.
It seems that for hackers it is not profitable to send a ransomware to their victims, so they turned to a more lucrative business like cryptocurrencies, this new virus represents a variant of Rakhni because now merges the ramsomware with malicious software for cryptocurrency extraction.
The variant of the Rakhni ransomware family was detected by researchers at Kaspersky Labs and is written in Delphi, a programming language created to speed up the process. software creation based on visual programming.
Rakhni, has now spread to any number of devices, applying identity theft phishing identity, sending fake emails with a file MS Word attached, which, if it is open, asks the victim to save the document and edit it
a PDF icon, which, when & ## 39; it is clicked, launches a malicious executable on the victim's computer and immediately displays a pop-up window, with a false error message at the time of execution, prompting the victims to think that A system file is missing to open the document.
No doubt its creators left nothing to chance and used several malicious techniques to avoid detection. But the most interesting thing about this malware is the process of deciding if the PC is suitable for mining, or if it simply leaves a ransomware as a "consolation prize".
How does Malware decide to do? Note that before running, the malicious program performs many anti-virtual machine (virtual machine) and anti-sandbox tests, techniques used by hackers to detect and evade the virtual environments used in the computer. security badysis.
If all conditions are met, the malware performs more checks to determine the ultimate burden of infection, that is, ransomware or mining.
Ransomware
If your PC is not able to extract, the malware installs Ransomware, if the target system has a folder 'bitcoin'. in the AppData section.
Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications, then displays a rescue note via a text file
] Miner
The malware does an badysis of your system, and installs the minor if the folder 'bitcoin' does not exist and the computer has more than two logical processors. [19459016SystemProtectedbyAminorUseMinerGateUsertoExtractMonero(XMR)MoneroOriginal(XMO)andDashcoin(DSH)Background
In addition to this, the malware uses CertMgr.exe to install fake root certificates, which they claim have been issued by Microsoft Corporation and Adobe Systems Incorporated, for the purpose of disguising the minor as a process of trust.
Activates the Trojan horse, if there is no record "Bitcoin" and has only one logical processor
This component helps the malware to infect all computers located on the local network by using shared resources. file, the Trojan checks if the Users folder is shared and, if so, the malware is copied to the AppData Roaming Microsoft Windows Start Menu Programs Starting each user's folder accessible "
It should be noted that malware treat all techniques to avoid being detected.So, regardless of the chosen infection, the malware checks if the one of the listed antivirus processes starts up If an antivirus process is not found in the system, the malware will execute several cmd commands to try to disable Windows Defender.
Without a doubt, one of the most complete viruses to which the victim can cope, so avoid opening a suspicious file and keep your computer protected with a good antivirus.
This malware variant is intended for use with ilisateurs in Russia (95.5%), while a small number of infections was detected in Kazakhstan (1.36%), Ukraine (0.57)%, In Germany (0.49) %) and India (0.41%).
Source link
