• Written by Shipra Sanganeria Cybersecurity & Tech Writer

A new ransomware strain was recently discovered by security researchers and is said to be distributed through a malvertising campaign which promotes fake Windows updates and Microsoft Word installers.

The ransomware dubbed ‘’Big Head’’ was first discovered by security researchers at FortiGuard Labs and later Trend Micro published a report in which it claimed that both the previously identified variants as well as a third variant was the work of a single threat actor.

The ransomware which features .Net binary has the ability to deploy AES-encrypted files on the victim’s system: first one (1.exe) is used to propagate the malware, second one (archive.exe) is used to communicate with the threat actor’s Telegram channel and third one (Xarch.exe) displays a bogus Windows update.

Similar to other ransomware, it performs several checks and inspections to decide whether to execute or self-terminate. Before executing file encryption, the ransomware checks if its running in a virtual environment, deletes recovery backup, terminates processes, and avoids directories that can expose its presence.

Moreover, the malware’s capability includes disabling the Task Manager to prevent the victim from terminating or investigating its activities. It also uses its self-terminating techniques is the user’s machine language matches the country code of Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek.

Two more variants of Big Head were identified by Trend Micro. The second Big Head variant has both ransomware and info-stealer capabilities. It exfiltrates various sensitive data from the user’s system including product keys, list of directories and running processes, browsing history, operating network, and helps capture screenshots.

The third variant includes a file infector identified as Neshta which infects the target’s machine by inserting a malicious code into executable files. Usage of this technique can disguise the threat as a virus, thus making it difficult for security solutions to detect the ransomware.

The threat actor behind the ransomware remains unknown, however, researchers at Trend Micro speculate it to have Indonesian origins based on the YouTube name which is a phrase in Bahasa. Moreover, the researchers have also issued a security warning keeping in mind the multi-faceted nature of the ransomware.

Two Android File Management Spyware Apps Transfers Sensitive User Data to China

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

In a recent discovery, security researchers identified two spywares disguised as File Management applications on Google Play store. With more than 1.5 million combined installations, the applications are said to affect a large number of Android users worldwide.

Attributed to the same developer, the applications automatically launch without any user input to exfiltrate sensitive user data.

The applications identified as ‘’File Recovery and Data Recovery (com.spot.music.filedate)’’ show over a million installations. While the ‘’File Manager (com.file.box.master.gkd)’’ has been installed over 500,000 times.

According to the mobile security company Pradeo, the applications claim that no user data is collected. However, the company’s behavioral analysis engine discovered that without the users’ knowledge these applications collect information like real time location, contacts list including from emails and social media accounts, mobile country code, network provider details, device brand and model, operating system version, network code of SIM provider, and media files including pictures, audio, and video contents.

‘’Specifically, each application performs more than a hundred transmissions of the collected data, an amount that is so large it is rarely observed,’’ noted Pradeo. The stolen data is transferred to various servers in China, which have been identified as malicious by security experts.

Furthermore, to establish their legitimacy, the app developers seem to have used install farms or mobile device emulators to boost the numbers and ranking in the store’s search list. This theory of Pradeo can be proven as both the apps have a large number of user population but no user reviews.

To make matters worse, both the apps secure advanced user permissions that allow them to automatically launch when the device restarts. It also uses the technique to make uninstallation difficult by hiding the app icons from the home screen.

In light of this discovery, it is essential that users check for reviews before installing any application and thoroughly vet the permissions before accepting them. It is also recommended to install applications from trustworthy developers and organizations.