Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Fake Windows Update Spam Leads to Cyborg Ransomware and Its Builder

Recently, fake Microsoft Windows Update emails were spammed with the following subject lines:

    Install Latest Microsoft Windows Update now!
    Critical Microsoft Windows Update!

Email sample leading to Cyborg ransomware
Figure 1: Trustwave Security Email Gateway (SEG) displaying the fake Windows Update spam

 

The email, claiming to be from Microsoft, contains just one sentence in its email body which starts with two capital letters. It directs the recipient’s attention to the attachment as the “latest critical update”.

The Attachment

The fake update attachment, although having a “.jpg” file extension, is an executable file. Its filename is randomized and its file size is around 28KB. This executable file is a malicious .NET downloader that will deliver another malware to the infected system.

The attachment “b1jbl53k.jpg” shown in Figure 1 has a #Strings section, and, looking at this below, gives major clues to the executable’s behaviors. One of the notable things is that the hoax Microsoft update will download another executable file from Github, a software development platform.

the attachmentFigure 2: The #Strings section of the .Net attachment shown in Fig. 1

 

The Cyborg Ransomware

The file bitcoingenerator.exe will be downloaded from misterbtc2020, a Github account which was active for a few days during our investigation, but is now removed. It is contained under its btcgenerator repository. Just like the attachment, this is .NET compiled malware, the Cyborg ransomware.

Github account hosting the cyborg ransomware
Figure 3: Github Profile of misterbtc2020, the account where the Cyborg ransomware bitcoingenerator.exe can be downloaded from.

 

The ransomware bitcoingenerator.exe will encrypt the infected user’s files and append to their filename its own file extension, in this case, a ‘not-so-lucky’ 777.

 
Infected files
Figure 5: “.777” has been appended to the encrypted files’ filenames

 

Then, a ransom note “Cyborg_DECRYPT.txt” will be left on the compromised machine’s Desktop. The information provided in this txt file can be found on the overlay of the ransomware bitcoingenerator.exe.

Ransom noteFigure 6: Some of the information on the ransom note “Cyborg_DECRYPT.txt” is in the overlay of bitcoingenerator.exe

 

Lastly, it will leave a copy of itself as “bot.exe” hidden at the root of the infected drive.

bot.exe - copy of the ransomware
Figure 7: Process monitor tool showing “bitcoingenerator.exe” created a copy of itself

 

The Cyborg Ransomware Builder

To gather more variants of this Cyborg ransomware, we looked for “syborg1finf.exe” the original filename of the ransomware we obtained and searched it in VirusTotal (VT). We were able to obtain 3 other samples of this ransomware.

The file extension these Cyborg ransomware samples will append to the encrypted files varies as observed from the samples found on VT. This is an indication that a builder for this ransomware exists. We search the web and encountered this Youtube video about “Cyborg Builder Ransomware V1.0 [ Preview free version 2019 ]”. It contains a link to the Cyborg ransomware builder hosted in Github.

youtube video about the cyborg ransomware builderFigure 9: Youtube video of about the Cyborg ransomware builder

 

The Github account Cyborg-Ransomware was newly created too. It contains two repositories: Cyborg-Builder-Ransomware, and Cyborg-russian-version. The first repository has the ransomware builder binaries while the second one contains a link to the Russian version of the said builder hosted at another website.

Github account Cyborg-Ransomware
Figure 10: Github account Cyborg-Ransomware hosts a Cyborg ransomware builder

 

The 7Zip file "Cyborg Builder Ransomware V 1.0.7z" from Cyborg-Builder-Ransomware repository was uploaded 2 days before Github account misterbtc2020 hosted the Cyborg ransomware executable. It contains the ransomware builder “Cyborg Builder Ransomware V 1.0.exe”. We compared the sample generated from the said builder (Ransom.exe) from what we have in this spam and they are similar! Only the overlay differs as it contains the data inputted by the builder’s user.

Cyborg ransomware builder
Figure 11: The Cyborg ransomware builder obtained from Github account Cyborg-Ransomware
 
Cyborg ransomware samples
Figure 12: The Cyborg ransomware samples: (from left to right) The generated ransomware “Ransom.exe” from the builder, 3 samples from VT, the payload obtained in this spam “bitcoingenerator.exe“

 

Summary

The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder. It can be spammed using other themes and be attached in different forms to evade email gateways. Attackers can craft this ransomware to use a known ransomware file extension to mislead the infected user from the identity of this ransomware.

IOC

b1jbl53k.jpg (27648 bytes)
SHA1: 34BAC75C515CAC706ED0D9EF5BA8B76E60FF78F7

bitcoingenerator.exe (1063572 bytes)
SHA1: 8E830F5C5D144CBE7554C91A846A20ACA6322C60

ce7a28d3f7cbcb06f484a17dcd244ac1cd126f8c557b702e011f57448045f4cf (1063572 bytes)
SHA1: 496063408CD61466614CC8370A6687D6F8D45663

90a6fb365e1546b7ca29eb4f08dc3f4c197835f35621e5f48651ec639725ac39 (1063565 bytes)
SHA1: 50E15A5AAE1C45BE13B4F9B23A6596A822B378A2

12b92b6215b4c1dcd7ed9421ff49e540f8db08122a58fb1982ce4566b29a33d3 (1063572 bytes)
SHA1: DF4A3733D76D96BF1A646AD4F807AB668A88A3DC

Cyborg Builder Ransomware V 1.0.7z (2522495 bytes)
SHA1: 7E251FA01E11A7240856C4934714B40B9EF519EF

Cyborg Builder Ransomware V 1.0.exe (2630144 bytes)
SHA1: 8599C32E71D39BBD89B7FCAE419FDF4619A6D2F3

Latest SpiderLabs Blogs

Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense

On March 4, 2024, the Telegram channel of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) was updated with assertions that they executed a successful cyberattack...

Read More

Cost Management Tips for Cyber Admins

As anyone who has filled out an expense report can tell you, cost management is everyone's responsibility. Organizations must apply a careful balance of budget planning and expenditures that are in...

Read More

Resurgence of BlackCat Ransomware

Updated March 8: Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after...

Read More