Security researchers from Trustwave’s SpiderLabs have discovered a new malicious campaign which spoofs urgent update emails from Microsoft to infect user’s systems with the Cyborg ransomware.
Targeted users first receive an email with either the subject line ‘Install Latest Microsoft Windows Update now!’ or ‘Critical Microsoft Windows Update!’ which is already suspicious as Microsoft pushes Windows updates through its operating system and never through emails.
The email itself contains just one line of text which reads: “Please install the latest critical update from Microsoft attached to this email”. While the fake update attachment has “.jpg” file extension, it is actually not a picture but instead is an executable file.
This executable file is a malicious .NET download that the attackers have designed to deliver malware to the infected system.
- Ghanaian engineering students in US develop technology to tackle emissionsThree Ghanaian undergraduate engineering students at Ohio State University are developing a sustainable alternative to … Read More
- WhatsApp finally extends ‘confusing’ update deadline: Accept or Stop using AppWhatsApp has extended the deadline by which its two billion users must either accept its … Read More
- Samsung Galaxy S21 Ultra: The ultimate smartphone experienceSamsung Electronics Co., Ltd. unveiled the Galaxy S21 Ultra, a flagship device that pushes the … Read More
- Ubiquiti hit with a security breach – Tells customers to change passwords!Networking equipment and IoT device vendor Ubiquiti Networks has sent out today notification emails to … Read More
- These 5 techniques will help you create a great online sales experienceAs part of the need to have a good customer service game, providing a standout … Read More
Upon clicking on the email’s attachment, the executable hidden within it downloads a file called ‘bitcoingenerator.exe’ from a GitHub account with the name misterbtc2020. Just like with the attachment itself, this file is a .NET compiled malware known as the Cyborg ransomware.
Once activated, the ransomware encrypts all of the files on the infected user’s system and appends their filenames with its own file extension, 777. A ransom note with the filename ‘Cyborg_DECRYPT.txt’ is then left on the desktop of the compromised machine. Finally the ransomware leaves a copy of itself called ‘bot.exe’ hidden at the root of the infected drive.
In an effort to better understand the variants of the Cyborg ransomware, Trustwave researchers searched for the original filename of the ransomware they obtained and searched for it in VirusTotal. There they found three other samples of this ransomware and discovered that a builder for it exists online.
The researchers also found a GitHub account with the name Cyborg-Ransomware that contained a repository with the ransomware builder binaries as well as a second repository with a link to the Russian version of the same builder hosted on another site.
Trustwave’s Diana Lopera explained why the Cyborg ransomware poses a serious threat to individuals and businesses in a blog post, saying:
“The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder. It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware.”