A new ransomware dubbed Big Head and its two variants have emerged in the threat landscape. It has been found that the ransomware is distributed via malvertisement of fake Windows updates or fake Windows installers.
As Trend Micro researchers continue to track the ransomware activity, they have shared similarities and differences between the variants when used in attacks.
The Big Head infection
The Big Head ransomware features a .NET compile binary file, employs a backdoor in its infection chain, and uses AES and SHA256 algorithms to encrypt files.
- The malware terminates itself if the user’s system language matches the Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, and Uzbekistan country codes.
- Upon execution, it disables the Task Manager along with other specific processes to prevent users from removing or investigating its process.
- After deleting the backups, it encrypts the files and appends them with .poop extension.
- It changes the wallpaper of the victim’s machine and later drops the ransom notes on the desktop, subdirectories, and the %appdata% folder.
The first sample
- According to Trend Micro, the sample exhibits both ransomware and stealer behaviors.
- The variant employs the AES algorithm to encrypt files and adds the suffix .poop69news@[REDACTED] to the encrypted files.
- Like the above-mentioned strain, this sample also changes the victim’s desktop wallpaper before sharing a ransom note.
The second sample
- The second variant includes a file infector, identified as Neshta, that is designed to infect and insert its malicious code into executable files. This version also works as a camouflage technique for the final deployment of Big Head ransomware.
- The variant displays the Windows update screen as it encrypts files and renames them using Base64 encoding to add an extra layer of obfuscation.
What more?
Researchers claim that the threat actors behind the malware use both email and Telegram to communicate with their victims, which further redirects them to a YouTube channel named ‘aplikasi premium cuma cuma.’ The channel showcase demonstrations of the malware they possess.
According to researchers, the malware developers are likely newbies as they left recognizable strings, used predictable encryption methods, and implemented weak or easily detectable evasion techniques, among other mistakes.
Final words
The multi-diverse nature gives the ransomware to cause significant harm once fully operational, making it more challenging to defend systems against attacks. Security teams should remain prepared to tackle such threats as it includes diverse functionalities, encompassing stealers, infectors, and ransomware samples.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/ce38_Blog_CharmingKitten3_3.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0bac_shutterstock_498380503.jpg)
