Fake Windows Update Spam Leads to Cyborg Ransomware and Its Builder
Recently, fake Microsoft Windows Update emails were spammed with the following subject lines:
Install Latest Microsoft Windows Update now!
Critical Microsoft Windows Update!
Figure 1: Trustwave Security Email Gateway (SEG) displaying the fake Windows Update spam
The email, claiming to be from Microsoft, contains just one sentence in its email body which starts with two capital letters. It directs the recipient’s attention to the attachment as the “latest critical update”.
The fake update attachment, although having a “.jpg” file extension, is an executable file. Its filename is randomized and its file size is around 28KB. This executable file is a malicious .NET downloader that will deliver another malware to the infected system.
The attachment “b1jbl53k.jpg” shown in Figure 1 has a #Strings section, and, looking at this below, gives major clues to the executable’s behaviors. One of the notable things is that the hoax Microsoft update will download another executable file from Github, a software development platform.
2: The #Strings section of the .Net attachment shown in Fig. 1
The Cyborg Ransomware
The file bitcoingenerator.exe will be downloaded from misterbtc2020, a Github account which was active for a few days during our investigation, but is now removed. It is contained under its btcgenerator repository. Just like the attachment, this is .NET compiled malware, the Cyborg ransomware.
Figure 3: Github Profile of misterbtc2020, the account where the Cyborg ransomware bitcoingenerator.exe can be downloaded from.
The ransomware bitcoingenerator.exe will encrypt the infected user’s files and append to their filename its own file extension, in this case, a ‘not-so-lucky’ 777.
Figure 4: Memory dump of the file bitcoingenerator.exe showing the file extensions it will look for to encrypt
Figure 5: “.777” has been appended to the encrypted files’ filenames
Then, a ransom note “Cyborg_DECRYPT.txt” will be left on the compromised machine’s Desktop. The information provided in this txt file can be found on the overlay of the ransomware bitcoingenerator.exe.
Figure 6: Some of the information on the ransom note “Cyborg_DECRYPT.txt” is in the overlay of bitcoingenerator.exe
Lastly, it will leave a copy of itself as “bot.exe” hidden at the root of the infected drive.
Figure 7: Process monitor tool showing “bitcoingenerator.exe” created a copy of itself
The Cyborg Ransomware Builder
To gather more variants of this Cyborg ransomware, we looked for “syborg1finf.exe” the original filename of the ransomware we obtained and searched it in VirusTotal (VT). We were able to obtain 3 other samples of this ransomware.
Figure 8: File properties of the Cyborg ransomware bitcoingenerator.exe
The file extension these Cyborg ransomware samples will append to the encrypted files varies as observed from the samples found on VT. This is an indication that a builder for this ransomware exists. We search the web and encountered this Youtube video about “Cyborg Builder Ransomware V1.0 [ Preview free version 2019 ]”. It contains a link to the Cyborg ransomware builder hosted in Github.
Figure 9: Youtube video of about the Cyborg ransomware builder
The Github account Cyborg-Ransomware was newly created too. It contains two repositories: Cyborg-Builder-Ransomware, and Cyborg-russian-version. The first repository has the ransomware builder binaries while the second one contains a link to the Russian version of the said builder hosted at another website.
Figure 10: Github account Cyborg-Ransomware hosts a Cyborg ransomware builder
The 7Zip file "Cyborg Builder Ransomware V 1.0.7z" from Cyborg-Builder-Ransomware repository was uploaded 2 days before Github account misterbtc2020 hosted the Cyborg ransomware executable. It contains the ransomware builder “Cyborg Builder Ransomware V 1.0.exe”. We compared the sample generated from the said builder (Ransom.exe) from what we have in this spam and they are similar! Only the overlay differs as it contains the data inputted by the builder’s user.
Figure 11: The Cyborg ransomware builder obtained from Github account Cyborg-Ransomware
Figure 12: The Cyborg ransomware samples: (from left to right) The generated ransomware “Ransom.exe” from the builder, 3 samples from VT, the payload obtained in this spam “bitcoingenerator.exe“
The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder. It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware.
b1jbl53k.jpg (27648 bytes)
bitcoingenerator.exe (1063572 bytes)
ce7a28d3f7cbcb06f484a17dcd244ac1cd126f8c557b702e011f57448045f4cf (1063572 bytes)
90a6fb365e1546b7ca29eb4f08dc3f4c197835f35621e5f48651ec639725ac39 (1063565 bytes)
12b92b6215b4c1dcd7ed9421ff49e540f8db08122a58fb1982ce4566b29a33d3 (1063572 bytes)
Cyborg Builder Ransomware V 1.0.7z (2522495 bytes)
Cyborg Builder Ransomware V 1.0.exe (2630144 bytes)