A malvertising operation that uses fake Microsoft Windows updates and Word installations is disseminating Big Head, a ransomware programme still in development.
Big Head is a ransomware strain meant to encrypt files on victims' computers in return for a Bitcoin payment, as found by Fortinet FortiGuard Labs last month.
Fortinet researchers noted at the time that one Big Head ransomware version "displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update." One of the variations features a Microsoft Word symbol and was probably sold as pirated software.
The U.S., Spain, France, and Turkey have provided most of the Big Head samples.
Trend Micro has released a new analysis of the. NET-based ransomware in which it reveals its inner workings and highlights its capacity to use three encrypted binaries: 1.exe to spread the malware, archive.exe to enable Telegram communication, and Xarch.exe to encrypt the files and display a fraudulent Windows update.
The cybersecurity firm stated that the virus shows a phoney Windows Update UI to trick the user into believing that the harmful activity is a genuine software update procedure, with the percentage of completion shown in increments of 100 seconds.
In the same way as previous ransomware families, Big Head deletes backups, kills a number of processes, and checks to see if it's executing in a virtualized environment before encrypting the data.
The virus also disables the Task Manager to prevent users from stopping or looking into its process, and it terminates itself if the computer's language matches any of the following: Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek. It also has a self-delete feature to remove itself from existence.
The stealer component of the second Big Head artefact, according to Trend Micro, uses the open-source WorldWind Stealer to collect network data, running processes, product keys, directory listings, and web browser history.
A third Big Head variant has also been found, and it uses the Neshta file infector to add malicious code to executables on the infected host.
The final Big Head ransomware payload may be hidden by including Neshta in the malware distribution, according to Trend Micro researchers.
The priority of security systems that primarily focus on identifying ransomware may be misdirected by using this strategy, which might make the malware appear to be another form of danger, such as a virus.
Big Head's threat actor's identity is presently unknown, although Trend Micro claimed to have found a YouTube channel with the name "aplikasi premium cuma cuma," implying that the threat actor is probably Indonesian in origin.
Given the malware's varied functions, the researchers said, "Security teams should stay prepared." The virus's multiple architectures makes it more difficult to protect systems against since each attack channel needs special attention. Once fully operational, the malware has the ability to inflict substantial harm.