Fake ‘Windows Update’ Installs Cyborg Ransomware

Georgia cyberattack

An executable file disguised as a .jpg leads not only to ransomware but also its builder, which can be used to create variants.

A malicious spam campaign that informs victims it contains a “critical Windows update” instead leads to the installation of Cyborg ransomware, researchers have found. Further, they were able to access its builder, which can be used to create malware variants.

The email-based threat, discovered recently by researchers at Trustwave, is unique in a few ways, researchers unveiled in a blog post on Tuesday. For instance, the attached file purports to be in .jpg format, even though it opens an .exe file.

Another unique aspect is that the emails contain a two-sentence subject, “Install Latest Microsoft Windows Update now! Critical Microsoft Windows Update!”— but it has just one sentence in its email body, researchers said. Typically, malicious emails include a longer, socially engineered message intended to lure victims into clicking malicious files.

But perhaps the most crucial element of the analysis is that the Cyborg ransomware creators also left a trail from the executable that led researchers to discover the malware builder hosted on the Github developer platform.

“The 7Zip file ‘Cyborg Builder Ransomware V 1.0.7z’ from Cyborg-Builder-Ransomware repository was uploaded two days before Github account misterbtc2020 hosted the Cyborg ransomware executable,” according to the post. “It contains the ransomware builder ‘Cyborg Builder Ransomware V 1.0.exe.'”

This adds a new dimension to the attack, Karl Sigler, threat intelligence manager for Trustwave SpiderLabs, told Threatpost in an email interview.

“Ransomware has been widely used to attack different organizations and governments and having it and its builder hosted on a software development platform Github is significant,” he told us. “Anyone can grab a hold of it and create their own Cyborg ransomware executable.”

The fake Windows Update email has typical hallmarks of malicious spam, which is how researchers originally identified it, Sigler told Threatpost. The suspicious subject line combined with “an executable attachment, not encased in an archive and with a .jpg extension,” made its intent pretty obvious, he said.

“Spoofing the file extension of an executable file is a common trick to evade email gateways,” Sigler told Threatpost. “We have seen this before, and so heuristics detections are in place for this kind of behavior.”

Researchers informed Github at around 5:00 pm Central Time on Sunday, Nov. 17, that there is an account hosting the Cyborg ransomware and its builder on its platform, Sigler said. That report is “still under processing,” he told us, and the account hosting the malware was still active as of the time this article was written.

At this time, the Cyborg spam threat seemed to have abated, as researchers see no more evidence of the downloader being sent via email. However, the potential remains for variants to be created from the Cyborg builder, since it’s still available on Github, Sigler said, noting that “a handful of Cyborg ransomware” already has been submitted to VirustTotal.

“The Cyborg Ransomware can be created and spread by anyone who gets hold of the builder,” according to the post. “It can be spammed using other themes and be attached in different forms to evade email gateways.”

Ransomware on the whole is a persistent and growing, with bad actors finding new and creative ways to lure and attack victims. Research released last month said security experts expect ransomware to surge in 2020, especially campaigns that specifically target their victims.

While the Cyborg attack seemed to have had no apparent target, Sigler said, there has been recent evidence that this prediction already is coming true. Last week, SmarterASP.NET, a popular web hosting provider, was hit with a targeted ransomware attack that took down its customers’ websites hosted by the company.

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.





Suggested articles


  • Joseph Masciantonio on

    As of now, I am just turning off Windows Update. Clearly they have no idea what they are doing at Microsoft.
    • Tara Seals on

      To be clear, Joseph, this is not a real update -- it's a fake meant to fool people into installing malware.
  • Terrence healy on

    TCP/IP needs to be rewritten and changed to be more secure.
  • Anon on

    Very misleading headline which basically click bait, should read 'Fake Windows Update'
    • Tara Seals on

      Thanks for the comment. The quotation marks are meant to indicate that it's being used in an ironic sense. http://www.macmillandictionaryblog.com/the-emphatic-use-of-quotation-marks
  • Brian H on

    Turning off Windows Updates in response to an article that explains how a spam email campaign is spreading malware through a fake Windows Update notice is hilarious and ironic. Let's see how well that plays out, Joseph!
  • Brian H on

    Tara the grammar guru!
  • Sumo Walubah on

    In this digital age we're living in cyber security attacks have become the new norm, cybersecurity experts must come up with new mechanism that will stop these cyber criminals in their tracks.
    • Anonymous on

      Only if cyber criminals weren't former cybersecurity experts.
  • Anonymous on

    Yeah. That works. Turn off windows update. Did you not read the entire article. It come via email
  • Dale Blevins on

    That's good, the GitHub rep isn't taken down yet, but let's tell the entire interested world about it...
  • Anonymous on

    It was sent via email not the Microsoft updater.
  • Frank M on

    It is best to use the built in Windows updates. I do check at least once a week. I don't care for automatic updates. Don't click on links you do not know where they are from. Also check the real url when hovering over a link. Then you can search the real url by right click and save link address. Copies to clipboard and then you can paste it into a search box like Google.
  • Anonymous on

    This is a misleading article with a fake title to capture attention and confuse people. This article is as fake as the mentioned campaign.
  • Keith P 1011 on

    Can you give steps on how to disable windows update please. Thank you.
    • Tara Seals on

      Hi Keith: There is no need to disable Windows Update -- that's the last thing you should do. This is an email campaign using "Windows Update" as a lure.
  • Anonymous on

    My 90 year old Grandma used to hate Windows update when she was alive and she turned off updates so she could use her AOL in peace without updates bothering her. I tried to sneak a Windows update on her computer one time while she was napping and she panicked about it updating so she hard powered off the computer.
  • George Papadopoulos on

    Have you read the article in full mate? It says it comes via email. When did Microsoft send you a Windows Update via email?
  • Michael M on

    I would advise you keep updating your computer as they release updates that prevent this kind of stuff all the time
  • Anon on

    Thank you! Grammar? I am in IT.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.