Windows 10 Upgrade Spam Carries CTB-Locker Ransomware

Spam messages spoofing Microsoft and promising a free Windows 10 upgrade instead drop the CTB-Locker crypto-ransomware on compromised machines.

In the week since a free upgrade to Windows 10 was made available, users have learned a of about a host of built-in privacy and security issues, the most troubling being a native feature called Wi-Fi Sense that grants access to your Wi-Fi network to contacts stored in a host of online services.

Now hackers are in on the game. The inevitable Windows 10 spam and phishing emails have surfaced, including a serious threat via a spam campaign spoofing Microsoft and ultimately dropping ransomware on users’ machines.

Researchers at Cisco TALOS said on Friday they spotted spam carrying an archived attachment from an email address in Thailand spoofing update at Microsoft[.]com. Users who download and execute the files inside the zip archive are hit by the CTB-Locker brand of ransomware. CTB-Locker behaves like most strains of crypto-ransomware; it’s spread via email, exploit kits or drive-by downloads, encrypts documents stored on the computers and demands a ransom paid in Bitcoin in exchange for the encryption key. This campaign gives users a 96-hour window to deliver payment, which is shorter than other campaigns making use of CTB-Locker.

CTB—also known as Critroni—stands for Curve-Tor-Bitcoin, and uses elliptic curve cryptography to encrypt files, and uses the Tor anonymity network for command and control operations.

The current Windows 10 spam campaign has a chance to be quite lucrative, given the thirst most consumers have for the latest and greatest technology. Users, however, must first reserve their spot in a queue in order to get the free upgrade to Windows 10. The spam emails may trick victims into thinking this is their notification from Microsoft to upgrade; legitimate upgrades are done via download, not email, Microsoft said.

The email, however, isn’t without its faults, making it easier to spot.

“There are several characters that don’t parse properly,” Cisco TALOS researchers wrote in a blogpost. “This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email.”

Two other features in the message attempt to add some legitimacy to the campaign, the first being a disclaimer using similar language to what Microsoft regularly uses, and the other being a notification that the email was scanned by “MailScanner” and is clean of malware.

“This message links to a legitimate open source email filter and will trick some users into thinking the attachment is not malware,” Cisco’s report said.

CTB-Locker’s use of elliptic curve encryption is more efficient from a processing sense than other ransomware variants, Cisco said.

Cisco also analyzed command and control traffic, noting that is uses hard-coded IP addresses on ports such as 9001, 443, 1443 and 666. Cisco said the malware also uses port 21 for communication, which is generally reserved for FTP traffic where outbound traffic would be allowed.

“There is also a significant amount of data being exchanged between systems, which is largely uncharacteristic for ransomware,” the report says. “An analysis of network traffic reveals that there were ~100 network streams to various IP addresses.”

Cisco’s report also includes a list of indicators of compromise and domains.

Suggested articles