A new piece of malware has been discovered that infects systems with either a cryptocurrency miner or ransomware, depending on their configurations to decide which of the two schemes could be more profitable. This piece of malware is currently spreading in Russia via Spear phishing with a malicious word document attached.
Once installed the malware begins multiple different evasion techniques not only for AV but also VM detection. Once the malware decides it can infect a system without being detected, it begins performing checks to decide the final payload, those check are as follows:
1.) Installs Ransomware—if the target system has a ‘Bitcoin’ folder in the AppData section.
Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file.
2.) Installs cryptocurrency miner—if ‘Bitcoin’ folder doesn’t exist and the machine has more than two logical processors.
If the system gets infected with a cryptocurrency miner, it uses MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background. Besides this, the malware uses CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process.
3.) Activates worm component—if there’s no ‘Bitcoin’ folder and just one logical processor.
This component helps the malware to copy itself to all the computers located in the local network using shared resources.
As always we never recommend opening suspicious emails or files and not to click on suspicious links. A working backup is also extremely important in the case of infection that way you can roll back to a safe state.