New Virobot malware works as ransomware, keylogger, and botnet

Virobot will use locally installed Outlook instances to spam other users and spread a copy of itself.
Written by Catalin Cimpanu, Contributor

A newly discovered malware strain is a multi-tasking threat that besides working as ransomware and encrypting users' files, it can also log and steal their keystrokes, and add infected computers to a spam-sending botnet.

This new threat is named Virobot and appears to be under development, and comprised of multiple components that allow it to work as a botnet, ransomware, and keylogger.

It's ransomware component seems to be a unique strain that has no ties to previous ransomware family trees, according to cyber-security firm Trend Micro, whose malware analysts spotted this new treat this week.

But while the Virobot ransomware component appears to be unrelated to any other ransomware strain, its mode of operation is nothing new, following the same modus operandi of all previous threats.

Also: Ransomware: An executive guide to one of the biggest menaces on the web

If a user is tricked into downloading and running the ransomware attached to email documents, the ransomware works by generating a random encryption and decryption key, which it also sends to a remote command and control (C&C) server.

The encryption process relies on the RSA encryption scheme, and Virobot will target files with the following extensions: TXT, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODT, JPG, PNG, CSV, SQL, MDB, SLN, PHP, ASP, ASPX, HTML, XML, PSD, PDF, and SWP.

Once this operation finishes, Virobot shows a ransom note on the user's screen, like the one below. This note is written in French, which Trend Micro researchers found odd because the campaign spreading the ransomware had targeted US users.


Virobot ransom note

Image:Trend Micro

Interestingly, Virobot is not the only ransomware with a French connection that appeared in the past few weeks. At the end of August, security researchers noticed that a ransomware strain named PyLocky, created to imitate the much more famous Locky ransomware, had also been very active in targeting France, albeit there appears to be no connection between Virobot and PyLocky.

Also: Fake cryptocurrency app installs ransomware on your computer CNET

As for Virobot's other modules, Trend Micro said the keylogger system was very simplistic, logging all local keystrokes and sending the raw data to the C&C server.

On the other hand, the botnet module was more powerful. This module also allowed the Virobot operator to download other malware from the ransomware's C&C server and execute it.

Further, this module would also work as a spam module, using the locally installed Outlook app to send spam to the user's contact list. Trend Micro reported that Virobot would use this module to spread a copy of itself or another malicious file downloaded from its C&C server.

Also: Why cryptomining is the new ransomware, and businesses must prepare for it TechRepublic

Michael Gillespie, the owner of ID Ransomware, a service for scanning encrypted files to determine what type of ransomware has infected a PC, told ZDNet today that there is currently no way of detecting Virobot infections via his portal.

This is due to the fact that the ransomware component shares common detection indicators with other strains, such as appending the .enc file extension to encrypted files, an extension used by many other strains. Luckily, its French-written ransom note is more than enough for users to guess or determine that they have been infected with Virobot.

For now, according to Trend Micro, the threat has been temporarily mitigated because at the time of writing the Virobot C&C server was down, meaning the Virobot's ransomware module would not start the encryption process if it infected new victims.

Since this is a new malware strain, this is most likely because of tests that most malware distributors carry out, and it's expected that the ransomware's C&C servers will eventually come back for broader distribution campaigns in the future.

Virobot is also not the first malware strain that combines different components. The line between ransomware, banking trojans, keyloggers, and other malware categories has been getting murkier in past years.

For example, malware strains such as MysteryBot, LokiBot, Rakhni, or XBash, have often come with multi-functional features, blending everything from ransomware to cryptominers in the same package.

Maybe that is why some researchers are now contesting Trend Micro's decision to categorize Virobot as ransomware instead of a botnet. With the lines getting blurry, it's getting hard to tell what's what anymore.

Article content and title updated after Trend Micro made changes to its original analysis.

The ransomware guide: protection and eradication

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards