Trojan Spreads Via Fake Windows Update

Windows 10 update

Malware finds its victims in a variety of ways. Now a very perfidious trick has become known: The “Big Head” ransomware is transported via fake Windows updates and Microsoft Word installation programs.

Of course, hiding in supposedly legitimate software is nothing new. What is new, however, is how “Big Head” proceeds. Among other things, the display of the Windows update process is imitated, while no update, but the encryption of the system is running in the background.

This was discovered by Fortinet security researchers. Trend Micro has now presented a comprehensive report. Accordingly, Big Head comes in three different variants to increase effectiveness. One variant displays a fake Windows update, possibly indicating that the ransomware was also distributed as a fake Windows update installer.

Spoofing a Windows update

One of the variants has a Microsoft Word icon and was likely offered for download as fake software. “Big Head” itself consists of a .NET binary that installs three AES-encrypted files on the target system: one is used to propagate the malware, another is used to communicate with the Telegram bot, and the third encrypts files and allows the user also shows a fake Windows update.

Big Head starts various actions

Once launched, the ransomware performs actions like creating a registry key, overwriting existing files, setting system file attributes, and disabling Task Manager. So-called shadow copies are then deleted to prevent an easy system restore before the files are encrypted and a “.poop” extension is appended to their filenames.

In addition, Big Head shuts down various security processes to prevent tampering with the encryption process and release data that the malware aims to lock.

The “Windows”, “Recycle Bin”, “Programs”, “Temp”, “Program Data”, “Microsoft” and “Application Data” directories are skipped during encryption so as not to render the system unusable. This also delays the detection of the blackmail Trojan. During encryption, the ransomware then displays a screen pretending to be a legitimate Windows update. After the encryption process, the ransom note is dropped into multiple directories and the victim’s wallpaper is also changed to indicate the infection.

Consumers are the target

What’s also interesting, Big Head seems to focus on consumers who are being fooled with simple tricks (e.g. fake Windows updates) or who have trouble understanding the necessary safeguards to protect themselves from cyber security risks. So you’re not targeting companies. There is currently no indication of how widespread Big Head already is.

Leave a Reply