Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Fake Windows Update Delivers Cyborg Ransomware

A fake Windows Update spam campaign has been dropping the Cyborg ransomware. The mail delivery mechanism claims to come from Microsoft. It directs the potential victim to an attachment described as the ‘latest critical update’.

A fake Windows Update spam campaign has been dropping the Cyborg ransomware. The mail delivery mechanism claims to come from Microsoft. It directs the potential victim to an attachment described as the ‘latest critical update’.

“The fake update attachment,” writes Trustwave (who discovered the campaign), “although having a ‘.jpg’ file extension, is an executable file. Its filename is randomized and its file size is around 28KB. This executable file is a malicious .NET downloader that will deliver another malware to the infected system.”

If the attached file is clicked, it downloads the ultimate payload from Github. The file is named bitcoingenerator.exe contained under its btcgenerator repository. That’s ironic, because the file is really the Cyborg ransomware, and the only bitcoin generated is any bitcoin paid by the victim as ransom. In the sample ransom letter shown by Trustwave, the demand is for $500 in bitcoin.

The original name for bitcoingenerator.exe is syborg1finf.exe.

Cyborg (the name is provided in the malware’s ransom note, which states ‘ALL YOUR FILES ARE ENCRYPTED BY CYBOG RANSOMWARE’) is not a well-known ransomware. In order to get more knowledge, Trustwave searched VirusTotal looking for the original filename, syborg1finf.exe, and found three other samples of Cyborg. The file extension applied to encrypted files differs between the samples found on VirusTotal and the sample found by Trustwave. 

“This is an indication that a builder for this ransomware exists,” says Trustwave. “We search the web and encountered the Youtube video about ‘Cyborg Builder Ransomware V1.0 [ Preview free version 2019 ]’. It contains a link to the Cyborg ransomware builder hosted in Github.”

Trustwave used this builder to generate a new sample ransomware, and found it very similar to the version it found in the spam campaign. “Only the overlay differs as it contains the data inputted by the builder’s user,” say the researchers. This possibly suggests that the builder has already been used by multiple individuals.

The ransomware market is separating into two areas — those targeted against richer organizations (including the manually delivered SamSam and RobinHood variants), and those targeting consumers (often delivered by spray and pray spam campaigns). This is an example of the latter, although the spray and pray tactic could just as easily hit the inboxes of companies.

Advertisement. Scroll to continue reading.

It is also an example of the growing market for malware as a service. Although there is no evidence from Trustwave that Cyborg is being distributed in this manner, nevertheless it gives anyone access to ransomware. All that is necessary for a Cyborg campaign would be access to the builder and the hire or development of spam distribution. As with all spam, the more convincing the associated email, the greater the likelihood of infecting victims.

Cyborg appears to be relatively new, with just the three samples found on VirusTotal. Simple Google searches provide little or no information on it, and there is no decryptor on the NoMoreRansom website. It could simply disappear as quickly as it has appeared, or — given the existence of a builder — it could be taken up and used extensively by spammers.

“The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder,” say the researchers. “It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware.”

Related: SamSam and GandCrab Illustrate Evolution of Ransomware 

Related: Raccoon Malware-as-a-Service Gains Momentum 

Related: The Growing Threat of Targeted Ransomware 

Related: Aircraft Parts Maker ASCO Severely Hit by Ransomware 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.