A newly-created Virobot malware combines the features of keylogger, ransomware and botnet
Virobot will spam users and copy itself by using locally installed Outlook instances.
Investigators detected a new multi-functional malware that combines the features of ransomware (encryption of users’ files), keylogger (keystrokes logging) and botnet (infected computers are added to a spam-sending botnet).
It’s dubbed as Virobot and is likely to be under development. This malware is based on numerous components that enable it to function as three malicious products: botnet, ransomware and keylogger at the same time.
There is one very interesting and at the same time dangerous feature it includes: the ransomware component differs from the previous ones, as cyber-security firm Trend Micro informed. The analysts of this firm were the first to detect this threat this week.
The ransomware component of Virobot appears to have nothing in common with any previous ransomware products, but its functioning principle is nothing new, it resembles to operation modes of all previous malicious inventions of the same kind.
Once this ransomware is downloaded and run, it quickly creates a random encryption and decryption key that will be sent to a remote command and control (C&C) server.
The encryption operation rests upon the RSA encryption scheme and Virobot will infect files with the following extensions: TXT, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODT, JPG, PNG, CSV, SQL, MDB, SLN, PHP, ASP, ASPX, HTML, XML, PSD, PDF and SWP.
When this process is finished, Virobot displays a ransom note written In French. Trend Micro specialists found it to be strange because the campaign distributing the ransomware had aimed at US users.
Trend Micro also stressed that other modules of Virobot were very simple, the same is with their main function, which consist in local keystrokes logging and sending of source information to the C&C server.
On the contrary, investigators were amazed by the power of the botnet module. Thanks to it, the Virobot operator can both download and execute other malware from the ransomware’s C&C server.
Then this module would function as a spam one, using the locally installed Outlook app to spread spam among the user’s contact list. According to Trend Micro specialists, Virobot would make use of this module to deliver its copy or another malicious file from its C&C server.
Taking into account that it’s a new malware threat, it probably represents the test of the most malware creators, and in the future, it will ultimately appear to deliver the more powerful campaign.
Of course, Virobot isn’t the first multifunctional malware strain. The distinction between ransomware, banking trojans, keyloggers and other malware types has been getting more blurred over the past few years.
Numerous malware products such as MysteryBot, LokiBot, Rakhni or XBash are usually multifunctional ones.
That’s why some investigators argue over Trend Micro’s decision to refer Virobot to ransomware instead of a botnet. As the distinction becoming more blurred, it’s getting difficult to categorize what is really what.