Application security, Application security, Threat Management, Malware, Ransomware

Viro Botnet ransomware comes with a botnet

Researchers discovered a ransomware with Botnet capabilities representing threat actors diversifying attack methods to raise the ante.

Trend Micro researchers spotted the ransomware dubbed “Viborot” targeting users in the United States that once infected, the machine would become part of a spam email botnet that sought out new ransomware victims, according to a Sept. 21 blog post.

The malware even uses the infected Machine’s Microsoft Outlook to send spam emails to the user’s contact list and was first observed in the wild on September 17, 2018 just a week after researcher’s spotted PyLocky ransomware imitating Locky.

“Virobot was first observed in the wild on September 17, 2018, seven days after we analyzed a ransomware variant that imitates the notorious Locky ransomware,” researchers said in the post. “Once Virobot is downloaded to a machine, it will check the presence of registry keys (machine GUID and product key) to determine if the system should be encrypted.”

Viborot then generates an encryption and decryption key via a cryptographic Random Number Generator and will then display the ransom note. Researchers noted that the ransom note was written in French despite it primarily affecting U.S. targets at the time.

In addition, Viborot sported a keylogging feature, and connects back to its C&C server to send logged key strokes from an infected machine, once connected to the server, the malware may download files possibly another malware and executes it using PowerShell.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.