A newly discovered malware strain is a multi-tasking threat that besides working as ransomware and encrypting users' files, it can also log and steal their keystrokes, and add infected computers to a spam-sending botnet.
This new threat is named Virobot and appears to be under development, and comprised of multiple components that allow it to work as a botnet, ransomware, and keylogger.
It's ransomware component seems to be a unique strain that has no ties to previous ransomware family trees, according to cyber-security firm Trend Micro, whose malware analysts spotted this new treat this week.
But while the Virobot ransomware component appears to be unrelated to any other ransomware strain, its mode of operation is nothing new, following the same modus operandi of all previous threats.
If a user is tricked into downloading and running the ransomware attached to email documents, the ransomware works by generating a random encryption and decryption key, which it also sends to a remote command and control (C&C) server.
The encryption process relies on the RSA encryption scheme, and Virobot will target files with the following extensions: TXT, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODT, JPG, PNG, CSV, SQL, MDB, SLN, PHP, ASP, ASPX, HTML, XML, PSD, PDF, and SWP.
Once this operation finishes, Virobot shows a ransom note on the user's screen, like the one below. This note is written in French, which Trend Micro researchers found odd because the campaign spreading the ransomware had targeted US users.
Interestingly, Virobot is not the only ransomware with a French connection that appeared in the past few weeks. At the end of August, security researchers noticed that a ransomware strain named PyLocky, created to imitate the much more famous Locky ransomware, had also been very active in targeting France, albeit there appears to be no connection between Virobot and PyLocky.
As for Virobot's other modules, Trend Micro said the keylogger system was very simplistic, logging all local keystrokes and sending the raw data to the C&C server.
On the other hand, the botnet module was more powerful. This module also allowed the Virobot operator to download other malware from the ransomware's C&C server and execute it.
Further, this module would also work as a spam module, using the locally installed Outlook app to send spam to the user's contact list. Trend Micro reported that Virobot would use this module to spread a copy of itself or another malicious file downloaded from its C&C server.
Michael Gillespie, the owner of ID Ransomware, a service for scanning encrypted files to determine what type of ransomware has infected a PC, told ZDNet today that there is currently no way of detecting Virobot infections via his portal.
This is due to the fact that the ransomware component shares common detection indicators with other strains, such as appending the .enc file extension to encrypted files, an extension used by many other strains. Luckily, its French-written ransom note is more than enough for users to guess or determine that they have been infected with Virobot.
For now, according to Trend Micro, the threat has been temporarily mitigated because at the time of writing the Virobot C&C server was down, meaning the Virobot's ransomware module would not start the encryption process if it infected new victims.
Since this is a new malware strain, this is most likely because of tests that most malware distributors carry out, and it's expected that the ransomware's C&C servers will eventually come back for broader distribution campaigns in the future.
Virobot is also not the first malware strain that combines different components. The line between ransomware, banking trojans, keyloggers, and other malware categories has been getting murkier in past years.
For example, malware strains such as MysteryBot, LokiBot, Rakhni, or XBash, have often come with multi-functional features, blending everything from ransomware to cryptominers in the same package.
Maybe that is why some researchers are now contesting Trend Micro's decision to categorize Virobot as ransomware instead of a botnet. With the lines getting blurry, it's getting hard to tell what's what anymore.
Article content and title updated after Trend Micro made changes to its original analysis.