Virobot exploits locally installed Outlook instances to spam other users to spread itself.
This newly discovered malware strain is some sort of multi-malware threat that can act as ransomware and encrypting users’ files, it can also log and steal their keystrokes, and add infected computers to a spam-sending botnet.
Its ransomware module looks like a never seen unique strain that has no ties to previous ransomware family trees, according to cybersecurity researchers; except this unique particularity, its mode of operation is nothing new, following the same modus operandi of all previous threats.
If a user gets infected with the malware received through email, it’s ransomware module works by generating a random encryption and decryption key, which it also sends to a remote command and control (C&C) server.
The encryption process relies on the RSA encryption scheme, and targets files with the following extensions: TXT, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODT, JPG, PNG, CSV, SQL, MDB, SLN, PHP, ASP, ASPX, HTML, XML, PSD, PDF, and SWP.
Once the encryption ends, Virobot displays a ransom note on the user’s screen. The note is written in French, which is very odd because the campaign spreading the ransomware had targeted US users.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
The keylogger module system is very simplistic, logging all local keystrokes and sending the raw data to the C&C server. Instead, the botnet module is a very powerful one, because is allowing the Virobot operator to download other malware from the ransomware’s C&C server and execute it.
For now, it seems that the malware isn’t active anymore because Virobot C&C server is down, meaning the Virobot’s ransomware module would not start the encryption process if it infected new victims.
This happened because most likely the new threat is tested that its distributors are carrying out, and it’s expected that the ransomware’s C&C servers to come back online.
Virobot is not the first malware strain that combines different components. The line between ransomware, banking trojans, keyloggers, and other malware categories is getting thinner and thinner as time passes.
For example, malware strains such as MysteryBot, LokiBot, Rakhni, or XBash, have often come with multi-functional features, blending everything from ransomware to crypto miners in the same package.
We will continue to monitor this cybersecurity threat. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or an antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.