A new strain of ransomware called Big Head is being distributed through a malvertising campaign, disguising itself as fake Microsoft Windows updates and Word installers.
Fortinet FortiGuard Labs discovered multiple variants of this ransomware designed to encrypt victims’ files and demand a cryptocurrency payment for their release. The malware has been observed displaying a fake Windows Update interface to deceive victims into thinking it’s a legitimate software update process.
It has also been found to delete backups, terminate processes, and incorporate various techniques to evade detection, such as disabling the Task Manager and aborting if the machine’s language matches certain languages.
Trend Micro conducted a detailed analysis of the .NET-based ransomware, uncovering its ability to deploy three encrypted binaries: 1.exe for propagation, archive.exe for communication over Telegram, and Xarch.exe for file encryption and the display of fake Windows updates.
The security company also detected additional variants of Big Head that exhibited both ransomware and stealer behaviors, leveraging tools like WorldWind Stealer to harvest sensitive information from victims’ systems. Another variant incorporated a file infector called Neshta to insert malicious code into executables.
Although the identity of the threat actor behind Big Head remains unknown, Trend Micro identified a YouTube channel with the name “aplikasi premium cuma cuma,” hinting at a likely Indonesian origin.
Given the malware’s diverse functionalities and its potential to cause significant harm, security teams are advised to remain prepared. Defending against Big Head is challenging due to its multifaceted nature, as each attack vector requires separate attention.
Vigilance and robust security measures are crucial to protect systems from this evolving ransomware threat.
