New Virobot malware works as ransomware, keylogger, and botnet
Security
A newly discovered malware strain is a multi-tasking threat that besides working as ransomware and encrypting users' files, it can also log and steal their keystrokes, and add infected computers to a spam-sending botnet.
This new threat is named Virobot and appears to be under development, and comprised of multiple components that allow it to work as a botnet, ransomware, and keylogger.
It's ransomware component seems to be a unique strain that has no ties to previous ransomware family trees, according to cyber-security firm Trend Micro, whose malware analysts spotted this new treat this week.
But while the Virobot ransomware component appears to be unrelated to any other ransomware strain, its mode of operation is nothing new, following the same modus operandi of all previous threats.
Also: Ransomware: An executive guide to one of the biggest menaces on the web
If a user is tricked into downloading and running the ransomware attached to email documents, the ransomware works by generating a random encryption and decryption key, which it also sends to a remote command and control (C&C) server.
The encryption process relies on the RSA encryption scheme, and Virobot will target files with the following extensions: TXT, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODT, JPG, PNG, CSV, SQL, MDB, SLN, PHP, ASP, ASPX, HTML, XML, PSD, PDF, and SWP.
Once this operation finishes, Virobot shows a ransom note on the user's screen, like the one below. This note is written in French, which Trend Micro researchers found odd because the campaign spreading the ransomware had targeted US users.
Virobot ransom note
Interestingly, Virobot is not the only ransomware with a French connection that appeared in the past few weeks. At the end of August, security researchers noticed that a ransomware strain named PyLocky, created to imitate the much more famous Locky ransomware, had also been very active in targeting France, albeit there appears to be no connection between Virobot and PyLocky.
Also: Fake cryptocurrency app installs ransomware on your computer CNET
As for Virobot's other modules, Trend Micro said the keylogger system was very simplistic, logging all local keystrokes and sending the raw data to the C&C server.
On the other hand, the botnet module was more powerful. This module also allowed the Virobot operator to download other malware from the ransomware's C&C server and execute it.
Further, this module would also work as a spam module, using the locally installed Outlook app to send spam to the user's contact list. Trend Micro reported that Virobot would use this module to spread a copy of itself or another malicious file downloaded from its C&C server.
Also: Why cryptomining is the new ransomware, and businesses must prepare for it TechRepublic
Michael Gillespie, the owner of ID Ransomware, a service for scanning encrypted files to determine what type of ransomware has infected a PC, told ZDNet today that there is currently no way of detecting Virobot infections via his portal.
This is due to the fact that the ransomware component shares common detection indicators with other strains, such as appending the .enc file extension to encrypted files, an extension used by many other strains. Luckily, its French-written ransom note is more than enough for users to guess or determine that they have been infected with Virobot.
For now, according to Trend Micro, the threat has been temporarily mitigated because at the time of writing the Virobot C&C server was down, meaning the Virobot's ransomware module would not start the encryption process if it infected new victims.
Since this is a new malware strain, this is most likely because of tests that most malware distributors carry out, and it's expected that the ransomware's C&C servers will eventually come back for broader distribution campaigns in the future.
Virobot is also not the first malware strain that combines different components. The line between ransomware, banking trojans, keyloggers, and other malware categories has been getting murkier in past years.
For example, malware strains such as MysteryBot, LokiBot, Rakhni, or XBash, have often come with multi-functional features, blending everything from ransomware to cryptominers in the same package.
Maybe that is why some researchers are now contesting Trend Micro's decision to categorize Virobot as ransomware instead of a botnet. With the lines getting blurry, it's getting hard to tell what's what anymore.
Article content and title updated after Trend Micro made changes to its original analysis.
The ransomware guide: protection and eradication
Previous and related coverage:
What is malware? Everything you need to know
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
Security 101: Here's how to keep your data private, step by step
This simple advice will help to protect you against hackers and government surveillance.
VPN services 2018: The ultimate guide to protecting your data on the internet
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
Five computer security questions you must be able to answer right now
If you can't answer these basic questions, your security could be at risk.
Critical infrastructure will have to operate if there's malware on it or not
Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.
Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons
Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.
Related stories:
- Nasty piece of CSS code crashes and restarts iPhones
- FragmentSmack vulnerability also affects Windows, but Microsoft patched it
- Data breaches affect stock performance in the long run, study finds
- Why the 'fixed' Windows EternalBlue exploit won't die
- Thousands of WordPress sites backdoored with malicious code
- Hackers swipe card numbers from local government payment portals
- Access to over 3,000 backdoored sites sold on Russian hacking forum
- Mirai botnet authors avoid prison after "substantial assistance" to the FBI