Experts have said that it was the first ransomware to jumble one file type and file.
A new file-encoding ransomware variant recently discovered by security researchers’ targets Microsoft Word’s Normal template. This is the same template on which all new Word documents are based on.
Researchers have called the new ransomware, qkG. According to Trend Micro, samples of the malware were initially spotted in Google’s VirusTotal file scanner. This happened on November 12, but without a Bitcoin address.
Just two days later, however, it was discovered with a Bitcoin address alongside a routine that encrypts documents on a certain day and time. Since then, experts have noticed examples of it that use different behaviors.
Those that discovered the ransomware say it appears to work a little differently to other similar malicious malware. In a blog post researchers said that the qkG filecoder stands out as the first ransomware to jumble one file and file type, and one of the few file-encrypting malware written exclusively in Visual Basic for Applications (VBA) macros.
They added that it was also one of the minorities that unusually employs malicious macro codes, unlike the standard families that use macros primarily to download the ransomware. Once a person permits the macros, the normal.dottemplate gets infected. At any time the user opens Microsoft Word, the malware-infected normal.dottemplate loads and executes.
According to Trend Micro, however, when a user opens an uninfected document, nothing happens at first. But qkG will, however, encrypt the file’s contents once the user closes the document. It will then display a message with an email and Bitcoin address, along with the encrypted content.
Experts have said that the encryption used is a simple XOR cipher. They added that the encryption key is constantly the same, and is included in each encrypted document. They also noted that the ransomware’s unusual use of malicious macros is very similar to a practice used by a .lukitus variant of the notorious Locky ransomware.
This malware uses the Auto Close VBA macro. It is important to note that in both cases, the malicious macro is carried out when the user closes the document. But, according to researchers, unlike qkG that only scrambles the document, .lukitus Locky’s macro codes retrieve and help execute the ransomware.
This, in turn, will then encrypt the embattled files stored on the contaminated machine. According to researchers, the malware author goes by the name TNA-MHT-TT2 and seems to be based in Vietnam. The qkG code also contained some Vietnamese commentary as well.
To date, the Bitcoin address linked to qkG does not seem to have any transactions. And, according to Trend Micro, further inspection into qkG also shows it to be more of an experimental project or a proof of concept.