Hackers are developing a polymorphic ransomware known as ‘Virlock’ that has enhanced file-infection and resurrection powers, according to Trend Micro.
Trend Micro researchers Jaaziel Carlos, John Chua and Rodwin Fuentes reported the Virlock ransomware in a threat advisory.
“We recently came across one malware family, detected as PE_VIRLOCK, that not only locks the computer screen but infects files – a first for ransomware,” read the advisory.
Virlock has the basic hallmarks of ransomware, and locks computers by disabling explorer.exe and preventing the use of taskmgr.exe. But it is more dangerous as it adds a new file infection functionality.
This instructs Virlock to check infected machines for specific file types, including .exe, .doc, .xls, .pdf, .ppt, .mdb, .zip, .rar, .mp3, .mpg, .wma, .png, .gif, .bmp, .jpg, .jpeg, .psd, .p12, .cer, .crt, .p7b, .pfx and .pem.
If found Virlock encrypts and embeds the file in the malware body while adding a .RSRC section.
The researchers said that the infection capability offers attackers a variety of powers over the victim system and makes detection and removal of the ransomware more difficult.
“Virlock encrypts the host file to make it more difficult for security solutions to clean and restore the infected files,” said the advisory.
“Based on our analysis, Virlock uses custom encryption with two layers of encryption. First is a combination of XOR and ROL (rotate on left) encryption and the second layer is an XOR encryption.
“[Additionally] if the infected system is not properly cleaned, even the presence of a single infected file will trigger the infection chain all over again.”
The malicious files also have self-spreading capabilities and can infect additional systems by moving through the infected network or being transferred on removable flash storage USB sticks.
The Trend Micro researchers said that Virlock’s defence-dodging powers are further aided by a “polymorphic” design.
“Our analysis shows that Virlock is polymorphic. The malware was packed with a custom hacker packer that uses randomised API calls,” explained the advisory.
“This malware continuously changes the hacker packer that it uses to avoid detection. This makes it harder for security researchers and products to detect as the code changes each times it runs.”
It is currently unclear who is behind Virlock, although Trend Micro reported that it was used in one of the Carbanak cyber attacks said to have defrauded over $1bn from 100 banks in more than 30 regions.
Virlock is believed to be a work in progress, and the researchers expect fresh variants to appear in the near future.
“In our analysis, we also found traces of incomplete modules or illogical codes in Virlock,” read the advisory.
“It’s highly possible that the modules/codes are proof that Virlock is still in the development stage. It won’t be a surprise if we see a more sophisticated Virlock variant in the coming months.
“One possible development is in its arrival vectors. We might see Virlock use a mass-mailing malware to help it to propagate, similar to those used by the CRYPCTB ransomware family.”
Virlock is one of many emerging threats uncovered this week. Researchers at Kaspersky Lab reported on Wednesday that they had uncovered the first malware capable of bypassing Captcha image recognition systems targeting Android devices.