A nascent ransomware strain dubbed "Big Head" has the potential to "cause significant harm once fully operational,” researchers say.
First reported by FortiGuard Labs last month, several distinct versions of Big Head have now been analyzed, leaving researchers worried the diverse and multifaceted nature of the nascent malware will make it difficult to combat once it is further developed.
In a report posted Friday, Trend Micro said while there was no evidence as yet Big Head had been used successfully, its developers appeared to be experienced, although possibly not sophisticated, threat actors.
Big Head’s “diverse functionalities, encompassing stealers, infectors, and ransomware samples” was concerning, researchers Ieriz Nicolle Gonzalez, Katherine Casona and Sarah Pearl Camiling said in the post.
“This multifaceted nature gives the malware the potential to cause significant harm once fully operational, making it more challenging to defend systems against, as each attack vector requires separate attention.”
Fake Microsoft ads used as lures
The Trend Micro researchers said they suspected the three distinct samples of Big Head they analyzed were all distributed via malvertisements (malicious ads) for fake Windows updates and fake Word installers.
“The malware displays a fake Windows Update UI to deceive the victim into thinking that the malicious activity is a legitimate software update process,” they wrote.
One sample of Big Head delivered three binaries that dropped executable files to perform a range of functions on the target system. These included encrypting files, deploying a Telegram bot that communicated with the threat actor’s chatbot ID, displaying the fake Windows update UI, and installing ransom notes as Read Me files and wallpaper.
The executable responsible for the Telegram bot, teleratserver.exe, was a 64-bit Python-compiled binary that accepted the commands “start”, “help”, “screenshot” and “message” to communicate between the victim and the threat actor via the messaging app.
A second sample of Big Head analyzed by Trend Micros included additional data stealing capabilities. It deployed WorldWind Stealer malware to collect a range of data including browsing history of all available browsers, lists of directories and running processes, a replica of drivers, and a screenshot of the screen after running the malware.
A third sample included Neshta, a virus-distributing malware that inserts malicious code into executable files.
“Incorporating Neshta into the ransomware deployment can also serve as a camouflage technique for the final Big Head ransomware payload,” the researchers said.
“This technique can make the piece of malware appear as a different type of threat, such as a virus, which can divert the prioritization of security solutions that primarily focus on detecting ransomware.”
Clues to the malware’s creators
While the identity of the group behind Big Head remains a mystery, Trend Micro discovered some details including a YouTube channel apparently run by the threat actor, and a Telegram username.
The malware terminates itself if the system language of a potential target matches the Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, or Uzbek country codes, suggesting the threat actor had ties to the former Soviet states now united as the Commonwealth of Independent States.
The group’s YouTube channel, which includes demonstrations of malware used by the threat actors, has the username “aplikasi premium cuma cuma”, meaning “premium application for free” in Bahasa, the official language of Indonesia.
“While it is possible, we can only speculate on any connection between the ransomware and the countries that use the said language,” the Trend Micro researchers said.
The value of finding them early
While the group’s malware suggests a level of experience, their actions – including running a YouTube channel devoid of any evidence they have carried out any successful attacks – indicates “they might not be sophisticated actors as a whole,” the researchers said.
“From a technical point of view, these malware developers left recognizable strings, used predictable encryption methods, or implement[ed] weak or easily detectable evasion techniques, among other ‘mistakes’.”
Discovering Big Head when the ransomware was still being developed and prior to any successful attacks or infections was “a huge advantage for security researchers and analysts,” the researchers said.
“Analysis and reporting of the variants provide an opportunity to analyze the codes, behaviors, and potential vulnerabilities. This information can then be used to develop countermeasures, patch vulnerabilities, and enhance security systems to mitigate future risks.”
Trend Micro has posted a list of indicators of compromise compiled through its research.
