Cybersecurity experts have identified a spam campaign capable of infecting systems with Cyborg ransomware. The attack is made via a fake Microsoft email that outlines an important update for the Windows operating system.
Diana Lopera, security researcher for Trustwave, states the emails purportedly from the Washington-based company include just a single sentence in the main body of the email and contain a typo. The message reads:
"Please install the latest critical update from Microsoft attached to this email"
The recipient is then directed to the email’s attachment, which if opened, springs the trap.
Malicious attachment and malware delivery process
The attachment that supposedly includes the vital update includes a .jpg extension but in reality, is an executable file. The size of the file is about 28KB with a randomised filename. It is a .NET downloader that can maliciously deliver another piece of malware into the already infected system.
Entitled bitcoingenerator.exe, this file will be downloaded to the user’s device from a Github account under the name of misterbtc2020. The actual file however is Cyborg ransomware.
The ransomware encrypts all files on the victim’s system and appends their file names with a file extension of its own. A ransom note will remain on the compromised device’s Desktop labelled: "Cyborg_DECRYPT.txt". The details enclosed in this text file can also be located on the ransomware bitcoingenerator.exe overlay.
In addition, the malware plants a copy of itself deep within the infected drive as an executable file entitled “bot.exe”.
A new design of ransomware
Lopera explained that the account in Github, Cyborg-Ransomware, is a new creation too:
"It contains two repositories: Cyborg-Builder-Ransomware, and Cyborg-russian-version. The first repository has the ransomware builder binaries while the second one contains a link to the Russian version of the said builder hosted at another website,"
She also commented on the "Cyborg Builder Ransomware V 1.0.7z" 7zip file:
"It contains the ransomware builder "Cyborg Builder Ransomware V 1.0.exe". We compared the sample generated from the said builder (Ransom.exe) from what we have in this spam and they are similar! Only the overlay differs as it contains the data inputted by the builder’s user.”
According to Lopera, the malware can even be spammed utilising different themes and can come in varying attachment types in order to bypass email gateways and reach its intended target.
Microsoft updates are a vital part of keeping a Windows operating system safe and secure against ransomware, which makes the technique of this recent spam campaign especially cunning. Threat researcher for Webroot, Kelvin Murray, commented that along with causing short-term damage, fake updates can undermine the overall confidence users have in updating and lead to weaker levels of security.
At WM Reply we’re experts at using the latest Microsoft technology to enhance your business processes. We create bespoke and secure solutions for greater collaboration and improved communication using online platforms like Microsoft SharePoint, and how it can integrate with Office 365. For advice and assistance, contact our specialist team today.