Windows 10 News and info | Forum
August 05, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Fake ‘Windows Update’ Installs Cyborg Ransomware  (Read 86 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 31640

I Do Windows

WWW Email
« on: November 20, 2019, 05:12:46 PM »

An executable file disguised as a .jpg leads not only to ransomware but also its builder, which can be used to create variants.

A malicious spam campaign that informs victims it contains a “critical Windows update” instead leads to the installation of Cyborg ransomware, researchers have found. Further, they were able to access its builder, which can be used to create malware variants.

The email-based threat, discovered recently by researchers at Trustwave, is unique in a few ways, researchers unveiled in a blog post on Tuesday. For instance, the attached file purports to be in .jpg format, even though it opens an .exe file.

Another unique aspect is that the emails contain a two-sentence subject, “Install Latest Microsoft Windows Update now! Critical Microsoft Windows Update!”— but it has just one sentence in its email body, researchers said. Typically, malicious emails include a longer, socially engineered message intended to lure victims into clicking malicious files.

But perhaps the most crucial element of the analysis is that the Cyborg ransomware creators also left a trail from the executable that led researchers to discover the malware builder hosted on the Github developer platform.

“The 7Zip file ‘Cyborg Builder Ransomware V 1.0.7z’ from Cyborg-Builder-Ransomware repository was uploaded two days before the Github account misterbtc2020 hosted the Cyborg ransomware executable,” according to the post. “It contains the ransomware builder ‘Cyborg Builder Ransomware V 1.0.exe.'”

This adds a new dimension to the attack, Karl Sigler, threat intelligence manager for Trustwave SpiderLabs, told Threatpost in an email interview.

“Ransomware has been widely used to attack different organizations and governments and having it and its builder hosted on a software development platform Github is significant,” he told us. “Anyone can grab a hold of it and create their own Cyborg ransomware executable.”

The fake Windows Update email has typical hallmarks of malicious spam, which is how researchers originally identified it, Sigler told Threatpost. The suspicious subject line combined with “an executable attachment, not encased in an archive and with a .jpg extension,” made its intent pretty obvious, he said.

“Spoofing the file extension of an executable file is a common trick to evade email gateways,” Sigler told Threatpost. “We have seen this before, and so heuristics detections are in place for this kind of behavior.”

Researchers informed Github at around 5:00 pm Central Time on Sunday, Nov. 17, that there is an account hosting the Cyborg ransomware and its builder on its platform, Sigler said. That report is “still under processing,” he told us, and the account hosting the malware was still active as of the time this article was written.

At this time, the Cyborg spam threat seemed to have abated, as researchers see no more evidence of the downloader being sent via email. However, the potential remains for variants to be created from the Cyborg builder since it’s still available on Github, Sigler said, noting that “a handful of Cyborg ransomware” already has been submitted to VirustTotal.

“The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder,” according to the post. “It can be spammed using other themes and be attached in different forms to evade email gateways.”

Ransomware, on the whole, is a persistent and growing, with bad actors finding new and creative ways to lure and attack victims. Research released last month said security experts expect ransomware to surge in 2020, especially campaigns that specifically target their victims.

While the Cyborg attack seemed to have had no apparent target, Sigler said, there has been recent evidence that this prediction already is coming true. Last week, SmarterASP.NET, a popular web hosting provider, was hit with a targeted ransomware attack that took down its customers’ websites hosted by the company.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page June 08, 2020, 02:36:58 PM