Big Head: the new fast-spreading multi-functional ransomware
An advanced ransomware has been detected hiding behind fake Windows update notifications and Word installations. Widespread mainly in the USA, Spain, France and Türkiye
The article discusses a new type of ransomware, Big Head, which poses a threat through simulated Windows updates and counterfeit software. The malware releases encrypted binaries to spread and disable protections. Variants also include data theft capabilities and additional file infection for attacking executable files. The origin and identity of the threat actor remain unknown. Experts emphasize the importance of preparedness in dealing with this new malware.
A new type of ransomware under development, called Big Head, is being distributed through a malvertising campaign. This campaign exploits fake notifications of Microsoft Windows updates and Word installations. Big Head was first identified by the Fortinet FortiGuard lab last month. On that occasion, several variants of the ransomware were discovered, all designed to encrypt files on victims' devices in exchange for a payment in cryptocurrencies.
Modus operandi of the Big Head
Some variants of Big Head ransomware simulate a fake Windows update. One of the variants has a Microsoft Word icon and appears to have been distributed as counterfeit software. Most of the Big Head samples collected so far come from the United States, Spain, France and Turkey.
Internal structure and functionality of the Big Head
In a recent analysis of .NET-based ransomware, Trend Micro took a detailed look at its capabilities. The malware is capable of releasing three encrypted binaries: 1.exe to spread the malware, archive.exe to facilitate Telegram communication and Xarch.exe to encrypt files and simulate a fake Windows update. Big Head, like other ransomware families, deletes backups, kills various processes and checks if it is running in a virtualized environment before encrypting files. It also disables the Task Manager to prevent users from interrupting or examining its processes, and self-destructs if the machine's language matches that of some former Soviet Union countries.
Threat actor variants and identities
Trend Micro has detected a second trace of Big Head with both ransomware and thieving behavior, the latter leveraging the open-source tool WorldWind Stealer to collect web browser history, directory listings, running processes, product key, and networks. A third variant of Big Head has also been discovered which includes a file infection called Neshta, used to insert malicious code into executable files on the infected host. The identity of the threat actor behind Big Head is not currently known, but a YouTube channel has been spotted with the name "aplikasi premium cuma cuma", suggesting a possible opponent of Indonesian origin. Trend Micro's research team concludes by emphasizing the importance for security teams to stay prepared for the different features of this malware.
Follow us on Instagram for more pills like this07/11/2023 09:17
Marco Verro