A newly discovered malware strain is a multi-tasking threat that besides working as ransomware and encrypting users’ files, it can also log and steal their keystrokes, and add infected computers to a spam-sending botnet.
This new threat is named Virobot and appears to be under development, and comprised of multiple components that allow it to work as a botnet, ransomware, and keylogger.
It’s ransomware component seems to be a unique strain that has no ties to previous ransomware family trees, according to cyber-security firm Trend Micro, whose malware analysts spotted this new treat this week.
But while the Virobot ransomware component appears to be unrelated to any other ransomware strain, its mode of operation is nothing new, following the same modus operandi of all previous threats.
If a user is tricked into downloading and running the ransomware attached to email documents, the ransomware works by generating a random encryption and decryption key, which it also sends to a remote command and control (C&C) server.
The encryption process relies on the RSA encryption scheme, and Virobot will target files with the following extensions: TXT, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODT, JPG, PNG, CSV, SQL, MDB, SLN, PHP, ASP, ASPX, HTML, XML, PSD, PDF, and SWP.
Once this operation finishes, Virobot shows a ransom note on the user’s screen, like the one below. This note is written in French, which Trend Micro researchers found odd because the …