Technical analysis shows the Big Head ransomware is still being developed and is chock full of weirdness.
Earlier this year, reports of a new ransomware family dubbed ‘Big Head’ appeared online in various malware databases. This malware is making the rounds through malvertisement campaigns that look like Windows updates and Word installers, which is rather concerning becuase less savvy users often fall for these attacks.
Researchers at Trend Micro began to dig into this malware as it and three variants were discovered, and have published a technical report on the samples. The first sample is a .NET compiled binary that drops three subsequent executables, 1.exe, Archive.exe, and Xarch.exe, which all have different purposes.
1.exe embeds itself on the system, encrypts files with the ‘.poop’ extension, creates the ransom note, and changes the victim’s desktop background. Archive.exe drops another executable, a Telegram tool that establishes a line of communication with the threat actor to execute remote activities.
