Experts in the field of IT security told about the new version of malicious software Rakhni for Windows. Its loader independently decides how to deal with the victim’s computer: set up hidden crypto currency, encrypt files and demand a ransom, or run a worm component and spread to other machines on the local network.
The decision to load a crypto or miner depends on the presence of the% AppData% \ Bitcoin folder on the system. If it is, the bootloader downloads the encryptor. If there is no folder and the computer has more than two logical processors, the miner will be downloaded. If this folder does not exist, and only one logical processor is available on the computer, the bootloader proceeds to the worm component.
It spreads the virus through spam emails and launches attachments in them. The executable file is disguised as a PDF file. After the startup, an error is displayed, due to which the attachment could not be opened. Malicious software checks the system for the presence of directories and files, if necessary and disables the built-in “Windows Defender”, installs the root certificate and deals with the selected type of activity.
More information about Trojan-Ransom.Win32.Rakhni is available on the Kaspersky Lab’s website.