Old malware being used for cryptomining nad ransomware

walden, system, systems, accordion, backup, back, up, ransom, ware, ransomware, data, recovery, critical, protection, walden systems, virus, security, nas, network storage
The Accordion system converts ordinary external HD into a NAS box and enables you to backup data using any usb based storage device whether it is RAID, SATA, ATA, IDE, SSD, or even CF-card. Accordion backup appliance is a self contained device that can utilize any external storage for backing up data. You can utilize existing excess storage on existing workstations or servers. You can use existing NAS storage or you can use any usb based storage device. Accordion is agnostic when it comes to where it backs up to or what technology is used for backup.



     The Rakhni Trojan is now giving hackers the ability to infect victims either with a ransomware cryptor or a miner. An old ransomware sample has been modified with a new trick allowing hackers to either extort money from victims via ransomware, or hijack a computer's CPU cycles via a stealthy cryptominer. The Rakhni Trojan, first spotted in 2013, is now giving hackers the ability to infect victims either with a ransomware cryptor or a miner. Hackers will try to benefit from the victim by direct extortion of money or by unauthorized use of user resources in their own needs. In Rakhni's case, even if the first two ways are not effective it uses a third way, it involves the victim in the chain of distribution of the malware.

     The malware, which has mostly been infecting victims in Russia, is first distributed via email spam. The phishing emails that researchers inspected contained fake corporate financial documents, leading them to believe the main targets of the criminals are companies. After opening an email attachment, victims are prompted to enable editing of what the email claims to be an embedded PDF file. Once the victim clicks on the PDF, it launches a malicious executable. After execution, the downloader, an executable file written in Delphi, displays a message box with an error claiming to be from Adobe, throwing victims off track from suspecting that they have been infected.




     To hide the presence of the malicious software in the system, the malware developer made it look like the products of Adobe Systems. This is reflected in the icon, the name of the executable file and the fake digital signature that uses the name Adobe Systems Incorporated. Once downloaded, according to researchers, the malware then bases its decision to download the cryptor or the miner depending on the presence of a cryptocurrency wallet ( the Bitcoin data folder ) on the systems. If the folder exists, the downloader decides to download the cryptor. Meanwhile, if the folder doesn't exist and the machine has more than two logical processors, the miner will be downloaded. The number of logical processors is an abstraction that shows how many parallel tasks a computer is capable of executing. The hackers decided that if the infected machine is powerful enough, it will be more profitable to mine cryptocurrency on this hardware than to extort money from its owner.

     If a cryptocurrency folder exists, the Trojan downloads a password-protected archive to the startup director in C:Documents and SettingsusernameStart MenuProgramsStartup containing a cryptor module. The cryptor executable will have the name taskhost.exe. It will only start working if the system has been idle for at least two minutes, after which the executable will encrypt an array of file extensions and change them to .neitrino. In each encrypted directory, the cryptor then creates a MESSAGE.txt file with the ransomware message. The ransom note contains an email of the hacker and a payment deadline. The ransom note warns the victim that using third-party decryptors can corrupt files and even the original decryptor would not be able to decrypt them. The last sentence of the ransom note informs the victim that all requests will be processed by an automatic system. There are decryption tools for the Rakhni ransomware that are currently available.



     Ff a cryptocurrency folder down not exist, the Trojan downloads a miner module and generates a VBS script with commands for mining either the Monero or Dashcoin cryptocurrency. In order to disguise the miner as a trusted process, the hacker signs it with a fake Microsoft Corporation certificate and calls svchost.exe. Finally, if the machine doesn't have a cryptocurrency folder and has just one logical processor, the downloader jumps to its worm component. This last resort method lets it use worm-like capabilities to copy itself on all computers on the local network. As one of its last actions the downloader tries to copy itself to all the computers in the local network. It calls the system command "net view /all" which will return all the shares and then the Trojan creates the list.log file containing the names of computers with shared resources. The Rakhni Trojan has continued to change over the years, with this unique capability being only the latest. The malware writers have also tweaked the Trojan over the years to change the way it gets keys from locally generated keys to those received from the Command and Control server, as well as their malware distribution method from spam to remote execution methods.