A currently developing piece of ransomware is called Big head is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows upgraders and Word installers.
Big Head was first documented by Fortinet FortiGuard Labs last month, when it uncovered several variants of ransomware designed to encrypt files on victims’ machines in exchange for cryptocurrency payments.
“One Big Head ransomware variant displayed bogus Windows Update, potentially indicating that the ransomware was also distributed as bogus Windows Update,” Fortinet researchers said at the time. “One of the variants has a Microsoft Word icon and is likely distributed as counterfeit software.”
The majority of Big Head’s samples have been submitted so far from the US, Spain, France and Turkey.
In a new analysis of .NET-based ransomware, Trend Micro details how it works, mentioning its ability to deploy three encrypted binaries: 1.exe to spread malware, archive.exe to facilitate communication via Telegram, and Xarch.exe to encrypt files and display updates. Fake windows.
“The malware displays a fake Windows Update UI to trick victims into thinking the malicious activity is a legitimate software update process, with a percentage of progress in 100-second increments,” the cybersecurity firm said.
Big Head is no different from other ransomware families in that it deletes backups, kills some processes, and performs checks to determine whether they are running in a virtual environment before proceeding to encrypt files.
Additionally, the malware disables Task Manager to prevent users from stopping or investigating its processes and cancels itself if the machine language matches Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek. It also incorporates a self-delete function to erase its presence.
Trend Micro said it detected a second Big Head artifact with ransomware and thieves behavior, the latter leveraging open source World Wind Thief to harvest web browser history, directory listings, running processes, product keys, and networks.
🔐 PAM Security – Expert Solution to Secure Your Sensitive Accounts
This expert-led webinar will equip you with the knowledge and strategies you need to change your privileged access security strategy.
Also discovered was a third variant of Big Head which incorporates a file infector called Neshta, which is used to inject malicious code into executables on infected hosts.
“Incorporating Neshta into the ransomware deployment may also serve as a camouflage technique for the final Big Head ransomware payload,” said the Trend Micro researcher.
“This technique can make malware appear as a different type of threat, such as a virus, which can shift the priority of security solutions that primarily focus on ransomware detection.”
The identity of the threat actor behind Big Head is currently unknown, but Trend Micro says it has identified the YouTube channel with the name “free premium app”, indicating a possible adversary from Indonesia.
“Security teams must remain prepared given the multiple functions of malware,” the researchers concluded. “This multifaceted nature gives malware the potential to cause significant harm once fully operational, making it more challenging to maintain systems, as each attack vector requires separate attention.”