Home > Ransomware > New Rakhni Coin Miner Virus – Chooses Mining or Ransomware Infection

New Rakhni Coin Miner Virus – Chooses Mining or Ransomware Infection

A new form of malware, combining the two most prominent threats out there – cryptocurrency mining and ransomware has been detected to check which is the appropriate type of virus to be installed on your PC and then installs either ransomware or miner.

The new coin miner malware is quite interesting in the fact that it infect your computer silently via an .exe file, pretending to be plugin for Adobe Reader:

The malware, which has been written in the language Delphi, installs the Rakhni Trojan on the victim’s computer, which is basically the executable file. But the .exe file is not directly downloaded on the victim PC. The Rakhni virus first spreads phishing e-mails that distribute the virus in the form of a fake Microsoft Word document, containing malicious macros. This type of attack is often used by malware and to briefly explain how it works, we have created the following graphic of activities:

What Does Rakhni Malware Do?

Once installed on your computer, the malicious executable displays a fake error message box, which tricks you as a victim that your computer has suffered some kind of malfunction resulting in a system error. In the background however, the Rakhni malware checks if it’s running on a virtual drive or an actual computr system and if it is, the virus shuts down and delete sit’s payload. The same is done if the virus is running in a Sandbox(https://sensorstechforum.com/sandboxie-software-review/) environment.

If not however, the headache for victims begins as the Rakhni virus initiates a sscan of the computers of victims. This system scans your computer and looks of the following speicfic parameters:

  • If your PC has a BitCoin follder installed in the %AppData% directory..
  • If your computer system has dual-core or higher processing power, but does not have a BitCoin folder in it.

If the ransomware virus checks that your computer has such a BitCoin folder, it immediately estimates that you may have BitCoin tokens and installs a ransomware virus, that encrypts your:

  • Documents.
  • Videos.
  • Images.
  • Archives.
  • Virtual Drives.
  • Audio files.
  • Other important files.

The files are encrypted with the RSA-1024 encryption algorithm and their main goal is to not be able to opened. Shortly after that, a ransom note is also displayed with instructions on how much BitCoins should be sent and to which address.

If there is no “BitCoin” folder on your computer however, the malware does not just stop functioning, but installs another type of malware instead of ransomware – A cryptocurrency miner. The miner begins to utilize a tool, which is called MinerGate and it is used to mine Monero, Monero Original and Dashcoin tokens. This mining process results in your computer beginning to perform extremely slow and it may even start freezing at times. And the Rakhni malware goes through great extent to hide it’s activity as well, by modifying the CertMgr.exe utility in Windows and installing fake certificates that add it as a trusted program in Windows and hence making it seem as if it’s running as a system process.

But Wait, There Is More

If your computer is slow and not very powerful (1-core CPU only), the malware still performs malicious activities, instead of leaving you alone – it copies a worm. By slithering this worm onto your PC, the virus may start to automatically spread onto your local network, meaning that if your computer is infected and connected to 20 other PC’s, the virus may use the same LAN to connect to those computers and re-start it’s “Miner or Ransomware” choosing process again.

And if that is not enough, the Rakhni virus has one more trick up it’s sleeve – it spies on you! That is right! If this is not enough, this infection may begin to perform series of unwanted activities, which may lead to theft of your personal infromation in real time. This means that the malware has the capability of:

  • Stealing your files in the background.
  • Collecting the keystrokes you type.
  • Stealing saved passwords.
  • Collecting information that you click on online.
  • Getting information about your browsing activities.

Protection Is Vital

Since researchers have now detected that this virus has targeted over 95% of it’s victims in Russia, but also has another Worm component, the possibility of it infecting every random computer on the planet is always real. This is the main reason why security experts always advise scanning your PC for malware or keeping an anti-malware program installed on your PC, which will protect it in real-time.


Malware Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Ventsislav Krastev

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *