A nascent ransomware strain dubbed “Big Head” has the potential to “cause significant harm once fully operational,” researchers say.
First reported by FortiGuard Labs last month, several distinct versions of Big Head have now been analyzed, leaving researchers worried the diverse and multifaceted nature of the nascent malware will make it difficult to combat once it is further developed.
In a report posted Friday, Trend Micro said while there was no evidence as yet Big Head had been used successfully, its developers appeared to be experienced, although possibly not sophisticated, threat actors.
Big Head’s “diverse functionalities, encompassing stealers, infectors, and ransomware samples” was concerning, researchers Ieriz Nicolle Gonzalez, Katherine Casona and Sarah Pearl Camiling said in the post.
“This multifaceted nature gives the malware the potential to cause significant harm once fully operational, making it more challenging to defend systems against, as each attack vector requires separate attention.”
The Trend Micro researchers said they suspected the three distinct samples of Big Head they analyzed were all distributed via malvertisements (malicious ads) for fake Windows updates and fake Word installers.
“The malware displays a fake Windows Update UI to deceive the victim into thinking that the malicious activity is a legitimate software update process,” they wrote.
One sample of Big Head delivered three binaries that dropped executable files to perform a range of functions on the target system. These included encrypting files, deploying a Telegram bot that communicated with the threat actor’s chatbot ID, displaying the fake Windows update UI, and installing ransom notes as Read Me files and wallpaper.
The executable responsible for the Telegram bot, teleratserver.exe, was a 64-bit Python-compiled binary that accepted the commands “start”, “help”, “screenshot” and “message” to communicate between the victim and the threat actor via the messaging app.
A second sample of Big Head analyzed by Trend Micros included additional data stealing capabilities. It deployed WorldWind Stealer malware to collect a range of data including browsing history of all available browsers, lists of directories and running processes, a replica of drivers, and a screenshot of the screen after running the malware.
A third sample included Neshta, a virus-distributing malware that inserts malicious code into executable files.
“Incorporating Neshta into the ransomware deployment can also serve as a camouflage technique for the final Big Head ransomware payload,” the researchers said.
“This technique can make the piece of malware appear as a different type of threat, such as a virus, which can divert the prioritization of security solutions that primarily focus on detecting ransomware.”
While the identity of the group behind Big Head remains a mystery, Trend Micro discovered some details including a YouTube channel apparently run by the threat actor, and a Telegram username.
The malware terminates itself if the system language of a potential target matches the Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, or Uzbek country codes, suggesting the threat actor had ties to the former Soviet states now united as the Commonwealth of Independent States.
The group’s YouTube channel, which includes demonstrations of malware used by the threat actors, has the username “aplikasi premium cuma cuma”, meaning “premium application for free” in Bahasa, the official language of Indonesia.
“While it is possible, we can only speculate on any connection between the ransomware and the countries that use the said language,” the Trend Micro researchers said.
While the group’s malware suggests a level of experience, their actions – including running a YouTube channel devoid of any evidence they have carried out any successful attacks – indicates “they might not be sophisticated actors as a whole,” the researchers said.
“From a technical point of view, these malware developers left recognizable strings, used predictable encryption methods, or implement[ed] weak or easily detectable evasion techniques, among other ‘mistakes’.”
Discovering Big Head when the ransomware was still being developed and prior to any successful attacks or infections was “a huge advantage for security researchers and analysts,” the researchers said.
“Analysis and reporting of the variants provide an opportunity to analyze the codes, behaviors, and potential vulnerabilities. This information can then be used to develop countermeasures, patch vulnerabilities, and enhance security systems to mitigate future risks.”
Trend Micro has posted a list of indicators of compromise compiled through its research.
Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.
SC Staff
A Rust-based injector named Freeze[.]rs, originally created by Optive as an open-source red teaming tool, is now being used by threat actors to spread a commodity malware called XWorm, The Hacker News reports.
SC Staff
Security researchers at Zscaler ThreatLabz have released a technical report on a newly discovered information malware strain dubbed Statc Stealer, which targets the sensitive payment and personal information of Microsoft Windows users, reports The Hacker News.
SC Staff
A new report by the Cybersecurity and Infrastructure Security Agency disclosed the existence of a new backdoor malware called Whirlpool that a malicious cyber group deployed in the recent breaches targeting Barracuda Email Security Gateway devices, BleepingComputer reports.
–
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.