A new spam campaign pretending to be a ‘Critical Microsoft Windows Update’ has been discovered that attempts to deliver the Cyborg Ransomware, but turns out to be an utter failure.
In a report from Trustwave that was released today, researchers outline how an attacker is sending spam email that pretends to be a ‘Critical’ Windows update and prompts the recipient to install it.
Trustwave told BleepingComputer that this spam campaign was not targeted in nature and was sent to recipients all over the world.
The supposed Windows update attached to the email is actually a downloader for the Cyborg Ransomware executable that has been renamed to a random named jpg image file. This is seen by the hex edit of the JPG file that clearly shows it is an executable.
While this JPG file is a legitimate executable that if properly named would have encrypted computer, the attackers made the mistake of distributing it as a JPG image file.
By doing so, they failed to take into account that when a user opens this file, Windows will automatically load it into the configured Photo viewer and not execute the malware. This will just display an error stating that the “file appears to be damaged, corrupted, or is too large.”
Executable opened in the Photo ViewerIt is not known why the ransomware was distributed this way, but it ultimately would have prevented any recipients who opened the image from being infected. This is obviously a good mistake.
When BleepingComputer asked Trustwave their opinion on why the ransomware was distributed this way, they too were confused by use of this method.
The Cyborg Ransomware
When taking a look at the Cyborg Ransomware we get a better understanding of why the spam campaign didn’t go well.
According to Trustwave’s report, the Cyborg Ransomware is promoted through a YouTube video that states it is a tool “designed to penetration testing” and should not be used for illegal use.
This builder is a .NET tool that allows a user to enter a bitcoin address, a contact email, an extension to use for encrypted files, and a ransom amount that the victim needs to pay. The user can then generate a .NET ransomware executable that utilizes these configuration settings.
As you can see, this builder is not very sophisticated and when we look at the executable used in this campaign, it also shows a similar level of sophistication.
The attached executable is actually a downloader that downloads the Cyborg Ransomware component from a now inactive Github repository.
For many ransomware variants, when a victim is infected, the ransomware will send a notification back to the attacker by connecting to a command and control server.
With this Cyborg downloader, the attacker uses smtp.gmail.com to email themselves with information about the victim. This executable also has the email user name and password hardcoded into the executable that could allow anyone who examines the email to access the account.
While many ransomware creators have called their projects “for educational purposes” or as a “pentesting tool”, other people will use these projects for nefarious purposes as we saw with HiddenTear.
The good news is that those who use open source ransomware, typically do not do a good job distributing or creating them. This leads to easily decryptable ransomware, or as seen in this case, poor planning in ransomware distribution.