Researchers Discover Dangerous Big Head Malware Still in Development

Researchers have expressed concerns about a new ransomware strain called "Big Head" that has the potential to cause significant harm once it becomes fully operational. Several versions of Big Head have been analyzed, indicating its diverse and multifaceted nature, which poses challenges for future combat against it.

Trend Micro reported that although there is no evidence of successful use of Big Head, its developers appear to be experienced but not necessarily sophisticated threat actors. The malware's various functionalities, including stealers, infectors, and ransomware samples, are worrisome and make defending systems more challenging, as each attack vector requires separate attention.

The researchers suspected that the three analyzed samples of Big Head were distributed through malicious advertisements masquerading as fake Windows updates and Word installers. The malware deceives victims by displaying a fake Windows Update user interface, making them believe it is a legitimate software update process.

One sample of Big Head deployed three binaries that executed tasks such as file encryption, deploying a Telegram bot, displaying the fake Windows update UI, and installing ransom notes. The executable responsible for the Telegram bot accepted commands to communicate with the threat actor.

Another sample included data stealing capabilities, collecting browsing history, directory lists, running processes, drivers, and screenshots. The third sample incorporated Neshta, a virus-distributing malware that camouflages the final Big Head ransomware payload, diverting attention from security solutions focused on detecting ransomware.

Although the group behind Big Head remains unknown, Trend Micro discovered a YouTube channel and a Telegram username associated with the threat actor. The malware terminates itself if the system language matches certain country codes, suggesting a potential connection to the former Soviet states now part of the Commonwealth of Independent States.

Why Do Hackers Often Use Telegram?

Hackers often use Telegram for several reasons:

Anonymity: Telegram provides a level of anonymity to users. It allows hackers to create accounts without requiring personally identifiable information and enables them to communicate without revealing their true identities.

Privacy and Encryption: Telegram offers end-to-end encryption, which means that messages exchanged between users are protected and can only be decrypted by the intended recipients. This encryption provides a secure communication channel for hackers to discuss and coordinate their activities without fear of interception.

Group Chats and Channels: Telegram allows users to create group chats and public channels, making it easy for hackers to share information, collaborate, and disseminate their malicious tools, techniques, and exploits to a wide audience. These features enable hackers to form communities, share knowledge, and coordinate their attacks.

It is important to note that while hackers may exploit the privacy and security features of Telegram for their malicious activities, the platform itself is not inherently malicious. Telegram is a legitimate messaging app used by millions of people worldwide for various purposes, including legitimate communication and file sharing.