New Virobot malware combines ransomware and botnet capabilities

Security experts from Trend Micro discovered a new malware tracked as Virobot that combines ransomware and botnet capabilities.

Virobot encrypts files on infected machines and is also implements spam botnet abilities and leverages it target other systems.

Virobot was first spotted on September 17, 2018, experts pointed out that it is not associated with any known ransomware families.

The analysis of the infection chain revealed that once Virobot is downloaded to a machine, it will check the presence of specific registry keys (machine GUID and product key) to determine if the files on the system should be encrypted.

Then it leverages a cryptographic Random Number Generator to generate the encryption and decryption key, then send it along with data related to the infected machine to the command and control (C&C) server via POST.

The malicious code targets the most popular file types, including .txt, .docx, .xlsx, .pptx, .jpg, .png, .csv, .sql, .mdb, .php, .asp, .xml, .psd, .odt, and .html.

The experts highlighted a curiosity about the ransom note and ransom screen displayed by the malware, even if it is currently targeting users in the US, the ransom note is written in French:

Virobot also implements a keylogging feature, collected keystrokes, it is also able to download additional files from the C&C server.

“Virobot also has a keylogging feature and connects back to its C&C server to send logged key strokes from an infected machine. Once connected to the C&C, it may download files – possibly another malware binary – and execute it using PowerShell.” reads the analysis published by Trend Micro.

The malware uses the infected machine’s Microsoft Outlook to implements the spam botnet capability and spread to the user’s contact list. Virobot will send to the victim’s contacts a copy of itself or a malicious file downloaded from its C&C server.

The Virobot malware is able to encrypt files after the successful connection with the C&C server, but at the time of writing the Command and Control infrastructure was taken down.

“Individuals and enterprises should use a multi-layered approach to mitigate the risks brought by threats like ransomware,” concludes Trend Micro.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Virobot, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.