Security researchers have discovered a new file-encoding ransomware variant called qkG that targets Microsoft Word's Normal template which all new, blank Word documents are usually based on. According to Trend Micro, samples of the malware were first spotted in Google's VirusTotal file scanner on 12 November, but without a Bitcoin address.
Two days later, however, it was found with a Bitcoin address along with a routine that encrypts documents on a certain day and time. Since then, researchers have noticed samples that use different behaviours.
Researchers said the ransomware appears to work slightly differently than other similar malicious malware.
"QkG filecoder stands out as the first ransomware to scramble one file (and file type), and one of the few file-encrypting malware written entirely in Visual Basic for Applications (VBA) macros," researchers wrote in a blog post. "It's also one of the few that uncommonly employs malicious macro codes, unlike the usual families that use macros mainly to download the ransomware."
Once a person enables the macros, the normal.dot template gets infected. Whenever the user opens Microsoft Word, the malware-infected normal.dot template loads and executes.
"When a user opens an uninfected document, nothing happens at first," Trend Micro explains. "qkG will, however, encrypt the file's contents once the user closes the document. It will also display a message with an email and Bitcoin address, along with the encrypted content.
"The encryption used is a very simple XOR cipher. The encryption key is always the same, and is included in each encrypted document."
Researchers noted that the ransomware's "unusual" use of malicious macros is similar to a technique employed by a .lukitus variant of the notorious Locky ransomware that uses the Auto Close VBA macro.
"In both cases, the malicious macro is executed when the user closes the document," researchers said. "But unlike qkG that only scrambles the document, .lukitus Locky's macro codes retrieve and help execute the ransomware, which will then encrypt the targeted files stored on the infected machine."
According to researchers, the malware author goes by the name TNA-MHT-TT2 and seems to be based in Vietnam. The qkG code also contained some Vietnamese comments as well.
So far, the Bitcoin address linked to qkG doesn't seem to have any transactions yet.
"Further scrutiny into qkG also shows it to be more of an experimental project or a proof of concept (PoC) rather than a malware actively used in the wild. This, however, doesn't make qkG less of a threat," Trend Micro said. "As the qkG samples demonstrated, its behaviors and techniques can be fine-tuned by its developer or other threat actors.
"While not particularly pervasive in terms of impact, qkG's unique use of malicious macros is still notable. And like other ransomware families, we expect this technique to be rehashed, broadened, and repurposed for other cyberattacks."