Brazilian Ransomware Blocks Access to Documents

Trend Micro researchers warn of a new fake antivirus program, which specifically targets Brazilian users. The application displays ransomware behavior, as it locks access to multiple types of documents and asks victims to acquire a license in order to regain control.

The new rogueware, called Byte Clark, is considered to be the first application from this class of malware that originates in Brazil, a country otherwise known for its high spam and malicious Internet traffic.

According to security website Linha Defensiva (Defensive Line), the program is distributed by spam e-mails with subjects like "Hello, I am sending you my invitation to the graduation location, date and time." The e-mails have a malformed .pps (PowerPoint Presentation) file attached, which claims to contain details about the event.

ConviteFormatura.pps exploits a remote-code execution vulnerability in PowerPoint, which downloads and installs the malicious component of the scheme. This blocks access to multiple file types, system folders and programs and forces an error message, which allegedly offers a solution.

Clicking the button on the error screen opens byteclark.com.br in the browser, a website where the user is encouraged to buy Byte Clark for 20.00 Brazil reais, approximately 9.7 United States dollars, in order to fix the error. The acquired application only removes the malicious components, thus rendering the files accessible again.

The malicious component hides under C:\WINDOWS\system32\ as svchosts.exe and is detected by Trend Micro as TROJ_FAKEAV.BBH. Additionally, it creates an entry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnmsgrr in order to be executed at computer reboot. The component also gathers information about the compromised system and sends it to a predefined email address.

Back at the end of March, we reported about another ransomware application called FileFix Pro 2009, which might have served as inspiration for the Byte Clark. Granted, FileFix was more complex, as it employed encryption mechanisms, but it acted on the same principle of locking users out of their personal files.

"Spam is a common delivery vehicle for malware, not just being limited to rogue antivirus. And as usual, people behind this scam rely on the user’s panic to look for a quick solution. As spammers/scammers use more pleasant/kinder wordings to get their message across, users are advised to exercise caution," Roderick Ordoñez, technical communications specialist at Trend Micro, notes.

At the beginning of May, when the Byte Clark threat was initially spotted locally in Brazil, none of the 40 antivirus engines available used by the VirusTotal online file analysis service detected it. It's likely that detection was added to some products since then, but it is just as likely that many of them are still missing it.