VOBFUS malware is known for its polymorphic abilities, which allow for easy generation of new variants. We recently came across one variant that replaces these abilities for one never seen in VOBFUS malware before—the ability to “speak” several languages.
Infection in Different Languages
Just like other VOBFUS variants, this new variant, detected as WORM_VOBFUS.JDN, propagates by dropping copies of itself in removable drives. Previously, variants used these eye-catching file names in order to convince users to click on the dropped file:
WORM_VOBFUS.JDN, on the other hand, takes it one step further by dropping files with files name that depend on the infected computer’s OS language and location. For example, a computer with English as the OS language may receive any of the following files:
- I love you.exe
Whereas a computer that uses Bahasa Indonesia may receive the following files:
- Aku mencintaimu.exe
- kata sandi.exe
- seksi. exe
This variant also uses file names written in these languages:
While the languages may differ, they all translate to I love you, Naked, Password, and Webcam.
Malware Going Local
Infection by way of “localized” threats could be seen as one way for cybercriminals to transform unsuspecting users into victims. Seeing a file or a notification written in their language might pique users’ interest more than seeing one written in English. Users may also find a false sense of security in these “localized” files and notifications as they might view these as less suspicious than other files.
Police ransomware is one threat that uses this particular technique. These malware pose as the local law enforcement agency of the victim’s country to urge users to pay the fee for their locked computers. For example, a French victim will receive a notification from Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI. There have even been instances wherein the ransomware will use an audio clip in the victim’s language. Posing as local law enforcement agencies adds a sense of legitimacy to the claim and may further convince victims to pay the fee.
We have also seen file-encrypting ransomware use this approach. These malware locks computers and encrypts files until the victim pays a fee. We came across two incidents that targeted Turkish and Hungarian users. The spam containing the malware and the notification were written in their language.
Cybercriminals will do anything or use any technique possible to gain new victims. We advise users to avoid clicking links or files unless these can be verified. For ransomware incidents, since the files cannot be decrypted (aside from perhaps paying the fee), it’s also good practice to constantly back up files in case of instances such as this one. Trend Micro blocks all threats mentioned in this entry.