Cyber Pirates’ Hidden Castle: Revealing the Secrets of the Big Head Ransomware
The mysterious Big Head ransomware does not give the user a chance to prevent infection.
Security researchers from an information security company Trend Micro discovered that the Big Head ransomware in development is distributed through malicious ads that masquerade as updates Windows and Word installers.
Big Head was first spotted by researchers from Fortinet FortiGuard Labs in June when they discovered several variants of this virus that encrypt files on victims’ computers and extort cryptocurrencies.
One variant of the Big Head ransomware displays a fake Windows update, while another has a Microsoft Word icon and was likely distributed as fake software. Most Big Head samples were shipped from the US, Spain, France and Turkey.
In a new ransomware analysis based on .NET, Trend Micro spoke about its internal structure. Experts drew attention to Big Head’s ability to deploy three encrypted binaries:
- 1.exe – distributes malware;
- archive.exe – provides communication via Telegram;
- Xarch.exe – Encrypts files and outputs a fake Windows update.
3 binaries big head
The malware displays a fake Windows update screen to trick the user into thinking that the software update process is completely legal. In this case, the percentage of the update is completed in increments of every 100 seconds.
Chain of infection Big head
Big Head, like other ransomware, removes backups, shuts down multiple processes, and checks to see if it’s running in a virtualized environment before it starts encrypting files.
The malware also disables the task manager, preventing users from interrupting it or examining processes. “Big Head” self-destructs if the system language matches Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar or Uzbek.
The second “Big Head” artifact combines the functions of a ransomware and a stealer using an open source tool World Wind Stealer to collect web browser history, directory listings, running processes, product keys, and network information.
The third variant “Big Head” is integrated with a file virus Neshtathat inserts malicious code into executable files on the infected host. This approach can give malware the appearance of a different type of threat, such as a virus, which can divert the attention of security systems primarily focused on ransomware detection.
Wallpapers that appear on the victim’s machine after infection
It is currently unknown who is behind the “Big Head”, but Trend Micro has discovered a hacker-related YouTube-channel with the name “aplikasi premium cuma Cuma”, which alludes to a likely intruder from Indonesia.
Discovered YouTube channel of hackers
Due to its versatility, “Big Head” has the potential to cause significant damage once fully operational. This makes it difficult to protect systems, since each attack vector requires an individual approach.
Big Head is a new and dangerous type of ransomware that can not only encrypt files, but also steal data and infect other programs. The virus spreads through fake Windows updates and Word installers. therefore, users should be careful not to run suspicious files, and use reliable antivirus solutions to protect their systems.