Safety researchers have dissected a just lately emerged ransomware pressure named ‘Big Head’ that can be spreading via malvertising that promotes faux Home windows updates and Microsoft Word of honour installers.
Two samples of the malware had been analyzed prior to by means of cybersecurity corporate Fortinet, who appeared on the condition vector and the way the malware executes.
Nowadays, Pattern Micro printed a technical file on Heavy Head that claiming that each variants and a 3rd they sampled originate from a unmarried operator who’s most probably experimenting with other approaches to optimize their assaults.
Faking a Home windows replace
‘Big Head’ ransomware is a .NET binary that installs 3 AES-encrypted recordsdata at the goal gadget: one is worn to propagate the malware, every other is for Telegram bot communique, and the 3rd encrypts recordsdata and too can display the person a faux Home windows replace.
On execution, the ransomware additionally plays movements similar to making a registry autorun key, overwriting current recordsdata if wanted, environment gadget report attributes, and disabling the Activity Supervisor.
Every sufferer is assigned a singular ID that’s both retrieved from the %appdata%ID listing or it’s generated the use of a random 40-character anecdote.
The ransomware deletes shade copies to cancel simple gadget recovery prior to encrypting the focused recordsdata and appending a “.poop” extension to their filenames.
Additionally, Heavy Head will finish please see processes to cancel tampering with the encryption procedure and to detached up knowledge that the malware will have to lock.
The Home windows, Recycle Bin, Program Information, Temp, Program Information, Microsoft, and App Information directories are skipped from encryption to steer clear of rendering the gadget unusable.
Pattern Micro has discovered that the ransomware assessments if it runs on a digital field, appears for the gadget language, and simplest proceeds to the encryption if it’s no longer all set on that of a rustic member of the Commonwealth of Detached States (former Soviet states).
All through the encryption, the ransomware presentations a display that purports to be a sound Home windows replace.
Nearest the encryption procedure completes, please see ransom is dropped on a couple of directories, and the sufferer’s wallpaper may be modified to alert of the condition.
Alternative variants
Pattern Micro additionally analyzed two extra Heavy Head variants, highlighting some key variations in comparison to the usual model of the ransomware.
The second one variant maintains ransomware functions but additionally accommodates stealer habits with purposes to bind and exfiltrate delicate knowledge from the sufferer gadget.
The information that this model of Heavy Head can scouse borrow come with surfing historical past, listing of directories, put in drivers, operating processes, product key, and lively networks, and it may well additionally seize screenshots.
The 3rd variant, found out by means of Pattern Micro, includes a report infector known as “Neshta,” which fits sinful code into executables at the breached gadget.
Despite the fact that the precise function of that is hazy, Pattern Micro’s analysts speculate that it may well be to evade detection that is predicated on signature-based mechanisms.
Significantly, this variant makes use of a distinct ransom be aware and wallpaper from the alternative two, but it’s nonetheless fasten to the similar ultimatum actor.
Conclusion
Pattern Micro feedback that Heavy Head isn’t an advanced ransomware pressure, its encryption forms are nice-looking usual, and its evasion ways are simple to discover.
However, apparently to concentrate on shoppers who can also be fooled with simple methods (e.g. faux Home windows replace) or they have got problem figuring out the safeguards important to persuade clear of cybersecurity dangers.
The a couple of variants in flow recommend that the creators of Heavy Head are often growing and refining the malware, experimenting with numerous approaches to peer what works highest.
Replace 7/10/23 – Cyber-intelligence company KELA shared spare knowledge with BleepingComputer, indicating that Heavy Head’s primary writer is most probably of Indonesian foundation.
KELA’s analysts have found out a person on Telegram the use of the similar names and avatars as the ones present in Heavy Head’s ransom be aware, claiming to be a “ransomware expert” on posts printed on “IndoGhostsec.”
The person switched the gang’s title from ‘BIG HEAD HACKER!’ to ‘BLACKHAT HACKER INDONESIA’ in June 2022, month in March 2023, he began in quest of the backup of alternative individuals in his attempt to build a ransomware builder and alternative related gear.
