Ransomware in development called big head is distributed as part of a malvertising campaign in the form of fake Microsoft Windows updates and Word installers.
Big Head was first documented last month by Fortinet FortiGuard Labs, which discovered multiple variants of ransomware designed to encrypt files on victims’ machines in exchange for cryptocurrency payments.
“One variant of Big Head ransomware displayed a fake Windows Update, and this ransomware may also have been distributed as a fake Windows Update,” Fortinet researchers said at the time. rice field. “One variant has a Microsoft Word icon and may have been distributed as counterfeit software.”
So far, the majority of big-head samples have come from the United States, Spain, France, and Turkey.
In a new analysis of .NET-based ransomware, Trend Micro details its inner workings and points to its ability to deploy three encrypted binaries. 1.exe propagates malware, archive.exe facilitates his communication via Telegram, and Xarch.exe. Encrypts files and displays fake Windows updates.
“The malware displays a fake Windows Update UI to trick victims into believing the malicious activity is a legitimate software update process.The progress rate is displayed in 100-second increments,” said the cybersecurity firm. said.
Big Head is similar to other ransoms in that it deletes backups, terminates several processes, and performs checks to see if it is running within a virtualized environment before proceeding to encrypt files. It’s no different than the hardware family.
Additionally, the malware disables the task manager so that the user cannot terminate or inspect the process, and the machine languages are Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and is automatically aborted if it matches the Uzbek language. It also has a self-delete function that erases its existence.
Trend Micro announced the detection of a second Big Head artifact with both ransomware and stealer behavior. The latter utilizes the open-source WorldWind Stealer to collect web browser history, directory listings, running processes, product keys, and network.
🔐 PAM Security – Expert Solutions to Secure Sensitive Accounts
Gain the knowledge and strategies you need to transform your privileged access security strategy in this expert-led webinar.
reserve a spot
A third variant of Big Head has also been found that incorporates a file infector called Neshta, which is used to inject malicious code into executable files on infected hosts.
“Incorporating Neshta into ransomware deployments may also serve as a camouflage technique for the final Big Head ransomware payload,” said Trend Micro researchers.
“This technology allows malware to appear as a different kind of threat, such as a virus, and can de-prioritize security solutions that are primarily focused on detecting ransomware.”
The identity of the attacker behind Big Head is unknown at this time, but Trend Micro has announced that it has identified a YouTube channel named “aplikasi premium cuma cuma”, suggesting the attacker may be from Indonesia. suggests high.
“Considering the versatility of malware, security teams should always be prepared,” the researchers concluded. “This multifaceted nature makes malware more difficult to defend against because it can cause significant harm when fully operational, and each attack vector requires separate attention.”
