Security researchers have observed a new spam campaign that infects systems with the Cyborg ransomware by spoofing email from Microsoft about Windows update.
According to Trustwave security researcher Diana Lopera, emails claiming to be from Microsoft contains just one sentence in its email body with a typo in the first word: "PLease install the latest critical update from Microsoft attached to this email".
It directs the recipient’s attention to the attachment as the "latest critical update".
While the attachment has a .jpg extension, it is really an executable file. The filename is randomised, and its file size is around 28KB. This executable file is a malicious .NET downloader that will deliver another malware to the infected system.
This file, named bitcoingenerator.exe, will be downloaded from misterbtc2020, a Github account that was active for a few days during an investigation by the company. The file is in fact .NET compiled malware, the Cyborg ransomware.
This then encrypts files on the target system and 86532append to their filename its own file extension, in this case, a 777. Then, a ransom note "Cyborg_DECRYPT.txt" will be left on the compromised machine’s Desktop. The information provided in this txt file can be found on the overlay of the ransomware bitcoingenerator.exe.
The malware also leaves a copy of itself as "bot.exe" hidden at the root of the infected drive.
Lopera said that the Github account Cyborg-Ransomware was newly created too.
"It contains two repositories: Cyborg-Builder-Ransomware, and Cyborg-russian-version. The first repository has the ransomware builder binaries while the second one contains a link to the Russian version of the said builder hosted at another website," she said.
She added that the 7Zip file "Cyborg Builder Ransomware V 1.0.7z" from Cyborg-Builder-Ransomware repository was uploaded 2 days before Github account misterbtc2020 hosted the Cyborg ransomware executable.
"It contains the ransomware builder "Cyborg Builder Ransomware V 1.0.exe". We compared the sample generated from the said builder (Ransom.exe) from what we have in this spam and they are similar! Only the overlay differs as it contains the data inputted by the builder’s user," she said.
Lopera added that the ransomware can be spammed using other themes and be attached in different forms to evade email gateways.
Edward Whittingham, managing director of cyber-security firm, The Defence Works, told SC Media UK that it’s hugely important that organisations educate their workforce in relation to the threats of phishing emails but do so in a way that will genuinely engage their end users.
"More and more frequently, organisations are adopting security awareness training, but it so often falls flat because the content is dull, too technical or simply doesn’t capture their attention. It’s very important to start to engage with users in a way they’ll find compelling and to make this a topic they’ll actively want to learn more about. That means ditching cliché images such as hoodies, Matrix code and so on – and instead, trying to provide the lessons through a medium they’ll understand and relate to," he said.
Kelvin Murray, senior threat researcher at Webroot, told SC Media UK that updates are very important in the fight against ransomware and cyber-crime and this is a cruel irony for victims of this social engineering technique.
"As well as causing damage in the short term, fake updates undermine the general confidence people have updating, and this leads to weaker security as a whole. The sheer amount of updates that we all see on a day-to-day basis means that users are unlikely to spend much time investigating any notifications," he said.