A developing piece of ransomware called Big Head is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows updates and Word installers.

Big Head was first documented by Fortinet FortiGuard Labs last month, when it discovered multiple variants of the ransomware that are designed to encrypt files on victims’ machines in exchange for a cryptocurrency payment.

“One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update,” Fortinet researchers said at the time. “One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software.”

A majority of the Big Head samples have been submitted so far from the U.S., Spain, France, and Turkey.

In a new analysis of the .NET-based ransomware, Trend Micro detailed its inner workings, calling out its ability to deploy three encrypted binaries: 1.exe to propagate the malware, archive.exe to facilitate communications over Telegram, and Xarch.exe to encrypt the files and display a fake Windows update.

“The malware displays a fake Windows Update UI to deceive the victim into thinking that the malicious activity is a legitimate software update process, with the percentage of progress in increments of 100 seconds,” the cybersecurity company said.

Big Head is no different from other ransomware families in that it deletes backups, terminates several processes, and performs checks to determine if it’s running within a virtualized environment before proceeding to encrypt the files.

In addition, the malware disables the Task Manager to prevent users from terminating or investigating its process and aborts itself if the machine’s language matches that of Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek. It also incorporates a self-delete function to erase its presence.

Trend Micro said it detected a second Big Head artifact with both ransomware and stealer behaviors, the latter of which leverages the open-source WorldWind Stealer to harvest web browser history, directory lists, running processes, product keys, and network information.


Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

Also discovered is a third variant of Big Head that incorporates a file infector called Neshta, which is used to insert malicious code into executables on the infected host.

“Incorporating Neshta into the ransomware deployment can also serve as a camouflage technique for the final Big Head ransomware payload,” Trend Micro researchers said.

“This technique can make the piece of malware appear as a different type of threat, such as a virus, which can divert the prioritization of security solutions that primarily focus on detecting ransomware.”

The identity of the threat actor behind Big Head is currently not known, but Trend Micro said it identified a YouTube channel with the name “aplikasi premium cuma cuma,” suggesting an adversary likely of Indonesian origin.

“Security teams should remain prepared given the malware’s diverse functionalities,” the researchers concluded. “This multifaceted nature gives the malware the potential to cause significant harm once fully operational, making it more challenging to defend systems against, as each attack vector requires separate attention.”