A new malware threat – titled Viro botnet malware – has been discovered that combines the file-encrypting powers of ransomware, with a keylogger to record passwords and a botnet capable of sending spam emails from infected devices.
Viro botnet malware is one of a new strain of malware variants that are highly flexible and have a wide variety of capabilities to maximize profit from a successful infection. There have been many recently discovered malware variants that have combined the file-encrypting properties of ransomware with cryptocurrency mining code.
The most recent threat was identified by security experts at Trend Micro who say that this new threat is still in development and seems to have been developed from scratch. The code is dissimilar to other known ransomware variants and ransomware families.
Some ransomware variants can self-propagate and can share from one infected device to other devices on the same network. Viro botnet malware achieves this by hijacking Outlook email accounts and using them to share spam email containing either a duplicate of itself as an attachment or a downloader to all people on the infected user’s contact list.
Viro botnet malware has been implemented in targeted attacks in the United States through spam email campaigns, although strangely, the ransom note dropped on the victims’ desktops is written in French. This is not the only new ransomware threat to include a French ransom note. PyLocky, a recently discovered new ransomware threat that looks like Locky ransomware, also had a French ransom note. This seems to be a coincidence as there are no indications that the two ransomware threats are linked or are being distributed by the same threat group.
With Viro botnet, Infection begins with a spam email containing a malicious attachment. If the attachment is opened and the content is permitted to run, the malicious payload will be installed. Viro botnet malware will first check registry keys and product keys to decide whether its encryption routine should run. If those checks are passed, an encryption/decryption key pair will be create through via a cryptographic Random Number Generator, which are then sent back to the hacker’s C2 server. Files are then encrypted via RSA and a ransom note is placed on the desktop.
Viro botnet malware also includes a basic keylogger which will log all keystrokes on an infected machine and send the data back to the hacker’s C2 server. The malware is also capable of downloading further malicious files from the hacker’s C2.
While the hacker’s C2 server was initially active, it has currently been deleted so any further devices that are infected will not have data encrypted. Connection to the C2 server is required for the encryption routine to start. Even though the threat has been neutralized this is thought to only be a brief hiatus. The C2 is expected to be resurrected and larger distribution campaigns are likely.
Safeguarding against email-based threats such as Viro botnet malware needs an advanced spam filtering solution such as SpamTitan to stop malicious messages from being sent to end users. Advanced antimalware software should be downloaded to detect malicious files should they be downloaded, and end users should receive security awareness training to help them spot security threats and respond properly.
Multiple backups should also be set up – with one duplicate copy stored securely offsite – to ensure files can be rescued following file encryption.