Researchers Found Fake Windows 10 Update That Hides Ransomware

Fake Windows 10 update email

When there is money to be made, some people may do whatever is necessary for gaining that opportunity.

This includes sending emails to potential victims using a fake Microsoft address, urging users to download a malicious Windows 10 "critical update". First discovered by Trustwave, the researchers at the computer security company said that people should never open this email.

The subject of the email says “Install Latest Microsoft Update now!” or “Critical Microsoft Windows Update!”

In the body of the email, there is only one line that says “Please install the latest critical update from Microsoft attached to this mail”, and below that, there is an attached file users are supposed to open.

The researchers said that the attached file contains a JPG file that is not actually a picture, but a .NET executable file that will infect people's PCs.

The filename is randomized, but it's around around 28KB in size.

In the example, the researchers at Trustwave showed the attachment b1jbl53k.jpg. Analyzing this file, the researchers found that the fake Microsoft update will download another executable file from GitHub, a software development platform.

This file the malware will download, is a a program called bitcoingenerator.exe which was developed by a GitHub user called misterbtc2020.

But this Bitcoin generator has been tweaked and customized to not mine cryptocurrencies, but to plant a malware called Cyborg.

The #Strings section of the .Net attachment
The #Strings section of the .Net attachment. (Credit: Trustwave)

When installed, Cyborg will encrypt all of victims' files, locking their contents, as well as changing the extensions of the files to 777. In other words, the PC's data is held as ransom.

After the encryption finishes, the malware creates a text file called Cyborg_DECRYPT.txt on the victims' Windows desktop, which contains instructions about how to recover the files - for a price.

Lastly, the malware will leave a copy of itself as “bot.exe”, hidden at the root of the infected drive.

According to Trustwave, there are four variants of this malicious software. Following the trail, the researchers were led to two repositories: Cyborg-Builder-Ransomware, and Cyborg-russian-version. The first repository has the ransomware builder binaries while the second one contains a link to the Russian version of the said builder hosted at another website.

This malware poses real danger to businesses and individuals alike,because it has the capacity to be attached to other emails and evade any gateway controls.

This fake Windows 10 update sent through email is just another instance of hackers trying to scam potential victims and drain their wallets.

It's wise to always distrust incoming emails at first sight, even if they came from trustworthy sources. Never click the links on them, or download any attachments from them.

In this case, it should be noted that Microsoft never sends notices about Windows 10 updates via email.

Published: 
19/11/2019