Leave No Money on the Table: New Malware Picks Target-Appropriate Payload
A new strain of the Rakhni ransomware family was discovered by Kaspersky Labs and is beginning to make its rounds. In the spirit of “Attacks don’t get worse, they only get better”, this strain contains more advanced features in an effort to not leave any money on the table. In the world of Information Security, the concepts of ransomware, cryptojacking, and wormable attacks is nothing new. However, Rakhni takes advantage of all three and selects an appropriate payload, depending on the target.
- Ransomware such as Locky, WannaCry, and Petya, encrypts the files on a computer and all connected drives (often including backup servers) and offers to provide the decryption key in exchange for a payment, often made in Bitcoin.
- Cryptojacking is the act of taking over someone’s device without consent for the purpose of mining cryptocurrency. A few months ago, I write an article predicting that 2018 would be the year of cryptojacking. Cryptojacking has two major benefits over traditional ransomware: attackers are able to monetize the attack both immediately and more reliably than traditional ransomware. Many people infected with ransomware would simply forego their data and not pay the ransom.
- Wormable attacks allow malware to spread through a network, without any direct user intervention. The massive outbreak of WannaCry in May 2017, which exploited an already patched vulnerability in the SMBv1 protocol, is perhaps the most notorious use of a wormable attack in recent memory by infecting nearly half a million machines.
This new strain of Rakhni is primarily spread through spearphishing. A carefully crafted e-mail with a weaponized MS Word document prompts a user to download a file that appears to be a PDF document. The fake PDF is actually a malicious executable that launches the first stage of the attack. Rakhni first checks if it is in a VM or Sandboxed environment in an effort to conceal itself from forensic security tools. Sandbox evasion techniques and anti-evasion techniques are briefly covered in my article relating to malware authors’ paranoia. If no VM or forensic tools are detected, the next stage of the attack performs reconnaissance on the target machine to determine the best payload.
- If a folder containing a wallet.dat file is detected in a pre-determined location, the malware authors suspects the machine contains a cryptocurrency wallet and will launch a ransomware attack. HODLers of cryptocurrency are much more likely to pay to retrieve their encrypted files because the value stored in their wallet can often exceed the ransom amount, prompting the target to pay up.
- If the wallet.dat file is not found, but the CPU has more than two logical processors, a cryptocurrency miner is installed on the machine and the machine’s resources will be used to maliciously mine cryptocurrency (Monero or Dash) until the user detects this activity and removes the malware. For good measure, the malware also generates fake self-signed certificates appeared to be issued by Microsoft and Adobe to sign the mining processes in an attempt to conceal its true nature.
- If the wallet.dat file is not found and the CPU does not have more than two logical processors, the malware will attempt to copy itself to any other connected machines. It will query the network for any machine with an unprotected C:\Users folder and copy itself to the startup folder on any vulnerable machines on the network and the process repeats itself.
Why be only ransomware, only a cryptojacker, or only a worm when you could select the best tool in your belt for your compromised machine and extract as much value out of it. Brian Krebs has an interesting writeup on the value of a hacked PC which does a good job of how attackers select the appropriate use(s) of an compromised machine.
As malware authors develop more sophisticated attacks, security researchers must keep up or far a bleak future. A sandbox is the most effective method for detecting malicious MS Word documents and executable files when signatures and MD5 hashes are not enough. When choosing a sandbox vendor, it is important to research anti-evasion techniques since it has become an arms race. While Rakhni attempts to extract the most cash out of a victim, state sponsored attackers could easily perform deeper reconnaissance and have more destructive tools in its toolbox. This was seen recently in the Triton and Duqu attack campaigns.