In a fresh cybersecurity threat, researchers have unearthed a new ransomware strain called 'Big Head', believed to be spread through malvertising that utilizes faux Windows updates and Microsoft Word installers, Trend Micro and Fortinet reported. “Malvertising'“ is the act of malicious advertising, the Center for Internet Security explained.
The malware has been previously analyzed by cybersecurity firm Fortinet, focusing on its infection vector and execution process. Now, a technical report from Trend Micro reveals that the two variants, along with a third one, likely hail from a single operator experimenting with different strategies to enhance the malware's potency.
The 'Big Head' ransomware is a .NET binary that deposits three AES-encrypted files onto the targeted system. One file spreads the malware, the second allows for Telegram bot communication, and the third encrypts files and even displays a fraudulent Windows update to the user.
Upon execution, the ransomware performs several actions, such as setting up a registry autorun key, overwriting existing files, adjusting system file attributes, and disabling the Task Manager.
Every victim receives a unique ID, either extracted from the %appdata%\ID directory or generated using a random 40-character string. The malware eliminates shadow copies to impede easy system restoration and subsequently encrypts targeted files, adding a ".poop" extension to their names.
The ransomware tactfully avoids encryption of certain directories, such as Windows, Recycle Bin, Program Files, Temp, Program Data, Microsoft, and App Data, to prevent rendering the system inoperable.
Interestingly, the malware checks if it's operating on a virtual box identifies the system language, and only proceeds with encryption if the language doesn't match that of a Commonwealth of Independent States (CIS) member nation.
Trend Micro also analyzed two additional Big Head variants, revealing some key differences in comparison to the standard ransomware version.
The second variant retains ransomware capabilities while introducing stealer behavior, gathering and exfiltrating sensitive data from the compromised system. This variant can steal browsing history, directories list, installed drivers, running processes, product key, and active networks, and can capture screenshots.
The third variant, discovered by Trend Micro, features a file infector known as "Neshta," which inserts malicious code into the executables on the compromised system. Although the precise purpose remains unclear, analysts suggest it might be an attempt to evade detection by relying on signature-based mechanisms.
This third variant utilizes a different ransom note and wallpaper, but it remains linked to the same threat actor, thereby showcasing the intricate adaptive capacities of the malware.
Trend Micro maintains that, while Big Head is not particularly sophisticated, its encryption methods are fairly standard, and its evasion techniques are easy to detect. It appears to primarily target consumers easily duped by simple tricks, such as fake Windows updates, or those lacking an understanding of essential cybersecurity measures.
The existence of multiple circulating variants suggests that Big Head's creators are continually developing and refining their malicious tool, experimenting with various tactics to discover the most effective approach. This ongoing evolution of Big Head underscores the ever-evolving landscape of cybersecurity threats and the need for continuous vigilance in protecting digital assets.