Rakhni Trojan Removal — Restore Your PC From Infections

Rakhni Trojan Removal — Restore Your PC From Infections

Rakhni Trojan image

The Rakhni Trojan is among the most devastating computer viruses in the last few years combining both a miner and a ransomware engine. It is fairy complex and can evaluate each infected system by running a custom attack sequence. The fact that it can spread through the local network using a worm function has made it a critical threat that must be removed instantly after the infections have been reported. Read our complete analysis and removal guide to learn how to restore infected hosts.

Threat Summary

NameRakhni Trojan
TypeTrojan, Ransomware, Cryptocurrency Miner
Short DescriptionThe Rakhni Trojan is capable of spying on the users and their machines and the installation of cryptocurrency miners or ransomware code. It is one of the most dangerous and persistent threats in the last few years because of it’s very advanced malicious engine.
SymptomsDepending on the case the users may find that their files have been encrypted by ransomware or feel unusual performance issues.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Rakhni Trojan


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Rakhni Trojan.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Rakhni Trojan – Distribution Methods

The Rakhni Trojan has been in distribution since 2013 using various attack campaigns. Throughout the years it’s code has shifted in several generations of different strains each using different mechanics to intrude into the target machines.

At the moment the security reports indicate that the top 5 countries where the infections have been found are the following: The Russian Federation, Kazakhstan, Ukraine, Germany and India. The ongoing attack campaigns have been found to rely on email phishing messages. The hackers have created multiple language versions of the emails that pose as being sent by a well-known company. They coerce the victim files into opening up an infected payload document. When it is accessed by the users a notification prompt appears which asks them to enable the built-in macros (scripts). If this is done an automatic trigger will execute the built-in download sequence that will ultimately lead to the Rakhni Trojan infection.

Rakhni Trojan email phishing message example

Other files that can be used to deploy the infection also include the following:

  • Presentations
  • Spreadsheets
  • Databases
  • Application Installers

An interesting characteristic is that the infection engine will also produce an error message explaining that a download has failed. This is done in order to take away the victim’s attention from the script.

Rakhni Trojan – In-Depth Analysis

The security analysis reveals that the Rakhni Trojan follows a carefully planned preconstructed behavior pattern. The malicious engine responsible for the correct execution of the Trojan initiates several installation checks before proceeding further. They are responsible for deploying the Trojan instance in several system location posing as the Adobe Reader application. This is done in order to make it more diffract for the users and system administrators to spot the infection as it is one of the most commonly installed applications. The engine also creates the relevant Windows Registry values so that everything matches up.

The next step in the infection process looks for the signatures of programs that may interfere with its correct execution: anti-virus programs, virtual machine hosts and debug/sandbox environments.

The main infection engine installs two certificates that pose as being signed by Adobe and Microsoft. This step is accompanied by the download of additional files to the Windows Temporary files folder.

The unique characteristic of this Trojan is that it can enforce either an ransomware engine or a cryptocurrency miner depending on several environmental checks. The implemented mechanism looks for signs of Bitcoin software installation – if such are found the virus code deems that the victim users might have digital assets that can be stolen. This will activate the miner download and execution command. In another case the ransomware engine will be started.

The ransomware engine will be downloaded in case no Bitcoin or other cryptocurrency software is found on the target machines or if their hardware resources are deemed ineffective for mining. Before this component is started the Trojan once again checks if certain applications and services are running and terminates them to facilitate the correct execution. It has also been found to delete all identifed Shadow Volume Copies and possibly the System Restore data. This means that file recoery will be possible only via a professional-grade solution. Refer to our instructions for more information on this.

The produced ransomware analysis reveals that the following file type extensions are targeted:

“.ebd”, “.jbc”, “.pst”, “.ost”, “.tib”, “.tbk”, “.bak”, “.bac”, “.abk”, “.as4”, “.asd”, “.ashbak”, “.backup”, “.bck”, “.bdb”, “.bk1”, “.bkc”,
“.bkf”, “.bkp”, “.boe”, “.bpa”, “.bpd”, “.bup”, “.cmb”, “.fbf”, “.fbw”, “.fh”, “.ful”, “.gho”, “.ipd”, “.nb7”, “.nba”, “.nbd”, “.nbf”, “.nbi”,
“.nbu”, “.nco”, “.oeb”, “.old”, “.qic”, “.sn1”, “.sn2”, “.sna”, “.spi”, “.stg”, “.uci”, “.win”, “.xbk”, “.iso”, “.htm”, “.html”, “.mht”, “.p7”,
“.p7c”, “.pem”, “.sgn”, “.sec”, “.cer”, “.csr”, “.djvu”, “.der”, “.stl”, “.crt”, “.p7b”, “.pfx”, “.fb”, “.fb2”, “.tif”, “.tiff”, “.pdf”, “.doc”,
“.docx”, “.docm”, “.rtf”, “.xls”, “.xlsx”, “.xlsm”, “.ppt”, “.pptx”, “.ppsx”, “.txt”, “.cdr”, “.jpe”, “.jpg”, “.jpeg”, “.png”, “.bmp”, “.jiff”,
“.jpf”, “.ply”, “.pov”, “.raw”, “.cf”, “.cfn”, “.tbn”, “.xcf”, “.xof”, “.key”, “.eml”, “.tbb”, “.dwf”, “.egg”, “.fc2”, “.fcz”, “.fg”, “.fp3”,
“.pab”, “.oab”, “.psd”, “.psb”, “.pcx”, “.dwg”, “.dws”, “.dxe”, “.zip”, “.zipx”, “.7z”, “.rar”, “.rev”, “.afp”, “.bfa”, “.bpk”, “.bsk”, “.enc”,
“.rzk”, “.rzx”, “.sef”, “.shy”, “.snk”, “.accdb”, “.ldf”, “.accdc”, “.adp”, “.dbc”, “.dbx”, “.dbf”, “.dbt”, “.dxl”, “.edb”, “.eql”, “.mdb”, “.mxl”,
“.mdf”, “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.kdb”, “.kdbx”, “.1cd”, “.dt”, “.erf”, “.lgp”, “.md”, “.epf”, “.efb”, “.eis”, “.efn”, “.emd”, “.emr”,
“.end”, “.eog”, “.erb”, “.ebn”, “.ebb”, “.prefab”, “.jif”, “.wor”, “.csv”, “.msg”, “.msf”, “.kwm”, “.pwm”, “.ai”, “.eps”, “.abd”, “.repx”, “.oxps”, “.dot”.

Rakhni Trojan ransomware note

The associated Rakhni Trojan institutes the miner instance as a randomly-named executable in the %AppData folder. It generates a script that installs it as persistent threat — this means that this component will be automatically started once the computer is booted. The analysis shows that the downloaded miner is configured to mine the Monero (XMR) currency.

Rakhni Trojan – Trojan Operations

Apart from disabling the security software that can interfere with its execution the Trojan also creates a secure connection with a hacker-controlled server. It is used to automatically report the infections, harvested information and other gathered data. The analysis shows that the following strings are one of the first that are transferred:

  • Computer name
  • Public IP address
  • Path of the installed Rakhni Trojan on the infected hosts
  • Current Date and Time
  • Trojan Built Date

The local instance is able to communicate three states of current status — a confirmation that the Trojan components have been downloaded; a message showing that the network infiltration has been begun or an error message.

A network worm instance is executed which scans the local network and attempts to infiltrate other machines on the networks using various vulnerabilities. It performs automated penetration testing by using the built-in scripts.

The Trojan module is also responsible for the advanced stealth protection mechanism that can instruct the virus to automatically delete itself. This is done if the underlying engine suspects that the users maybe trying to scan their systems for malware or attempt to remove via both manual or automated means.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share