AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Big Head: the new fast-spreading multi-functional ransomware

An advanced ransomware has been detected hiding behind fake Windows update notifications and Word installations. Widespread mainly in the USA, Spain, France and Türkiye

The article discusses a new type of ransomware, Big Head, which poses a threat through simulated Windows updates and counterfeit software. The malware releases encrypted binaries to spread and disable protections. Variants also include data theft capabilities and additional file infection for attacking executable files. The origin and identity of the threat actor remain unknown. Experts emphasize the importance of preparedness in dealing with this new malware.

This pill is also available in Italian language

A new type of ransomware under development, called Big Head, is being distributed through a malvertising campaign. This campaign exploits fake notifications of Microsoft Windows updates and Word installations. Big Head was first identified by the Fortinet FortiGuard lab last month. On that occasion, several variants of the ransomware were discovered, all designed to encrypt files on victims' devices in exchange for a payment in cryptocurrencies.

Modus operandi of the Big Head

Some variants of Big Head ransomware simulate a fake Windows update. One of the variants has a Microsoft Word icon and appears to have been distributed as counterfeit software. Most of the Big Head samples collected so far come from the United States, Spain, France and Turkey.

Internal structure and functionality of the Big Head

In a recent analysis of .NET-based ransomware, Trend Micro took a detailed look at its capabilities. The malware is capable of releasing three encrypted binaries: 1.exe to spread the malware, archive.exe to facilitate Telegram communication and Xarch.exe to encrypt files and simulate a fake Windows update. Big Head, like other ransomware families, deletes backups, kills various processes and checks if it is running in a virtualized environment before encrypting files. It also disables the Task Manager to prevent users from interrupting or examining its processes, and self-destructs if the machine's language matches that of some former Soviet Union countries.

Threat actor variants and identities

Trend Micro has detected a second trace of Big Head with both ransomware and thieving behavior, the latter leveraging the open-source tool WorldWind Stealer to collect web browser history, directory listings, running processes, product key, and networks. A third variant of Big Head has also been discovered which includes a file infection called Neshta, used to insert malicious code into executable files on the infected host. The identity of the threat actor behind Big Head is not currently known, but a YouTube channel has been spotted with the name "aplikasi premium cuma cuma", suggesting a possible opponent of Indonesian origin. Trend Micro's research team concludes by emphasizing the importance for security teams to stay prepared for the different features of this malware.

Follow us on Instagram for more pills like this

07/11/2023 09:17

Marco Verro

Last pills

Italy's success in cybersecurityHow Italy achieved excellence in global cybersecurity: strategies, collaborations, and international successes

IntelBroker alleged breach of Deloitte systemsServer exposed: how Deloitte's security may have been compromised by a cyber attack

Vo1d infections on Android TV boxes: how to protect your devicesLearn the essential measures to protect your Android TV boxes from the dreaded Vo1d malware and keep your devices safe from cyber threats

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon