A long-existing Trojan family still functioning today has spawned new malicious samples of malware, which infects its victims with either a cryptor or a miner, according to Kaspersky Lab.
Distributed through spam emails with documents attached, the samples are related to the Trojan-Ransom.Win32.Rakhni family. “After opening the email attachment, the victim is prompted to save the document and enable editing. The victim is expected to double-click on the embedded PDF file. But instead of opening a PDF the victim launches a malicious executable,” researchers wrote.
The Trojan decides which payload should be downloaded onto the victim’s PC at the moment the malicious executable is launched. “The fact that the malware can decide which payload it uses to infect the victim provides yet another example of the opportunistic tactics used by cybercriminals,” said Orkhan Mamedov, malware analyst, Kaspersky Lab.
“They will always try to benefit from their victims: either by directly extorting money (cryptor), by the unauthorized use of user resources for their own needs (miner), or by exploiting the victim in the chain of malware distribution (net-worm).”
Since first discovered in 2013, the malware writers have changed the way their Trojans get keys. Where they were once locally generated, they are now received from the command and control (C&C). They’ve also altered the algorithms used, going from exclusively using a symmetric algorithm and evolving through a commonly used scheme of symmetric and asymmetric.
Analysts have recently discovered 18 symmetric algorithms used simultaneously. The crypto-libraries are also different, as is the distribution method, which has ranged from spam to remote execution. In the recently spotted samples, criminals added a new mining capability feature.
According to researchers, the malware primarily targets companies rather than ordinary users, and is mainly spread throughout Russia. The Russian Federation has been most frequently attacked by Trojan-Downloader.Win32.Rakhni, with more than 95% of the unique victims. Kazakhstan, Ukraine, Germany, and India are the remaining four of the top five countries attacked, with each having less than 2% of unique users attacked relative to all users attacked by this malware.