Nemucod is back and serving an ad-clicking backdoor instead of ransomware

enzozo-623x410

Nemucod, the Trojan that affected Ireland worst in 2016 is back with a new campaign. Instead of serving its victims ransomware, it delivers an ad-clicking backdoor Trojan detected by ESET as Win32/Kovter.

As a backdoor, this trojan allows the attacker to control the machine remotely without the victim’s consent or knowledge. The currently used variant can perform four main activities: 1. Download and run a file, 2. Gather various information and send it to a C&C server, 3. Store its own configuration data in Windows Registry entries, and 4. Control its own “click-function”.

“IN THE RECENTLY OBSERVED WAVE, MALWARE OPERATORS ARE MAINLY FOCUSING ON THE AD-CLICKING CAPABILITY DELIVERED VIA AN EMBEDDED BROWSER.”

In the recently observed wave, malware operators are mainly focusing on the ad-clicking capability delivered via an embedded browser. The trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads.The number of threads can change according to commands from the attacker and can also alter them automatically – since Kovter is monitoring free memory and CPU usage. This helps the trojan not to overload the system and keep a low profile.

The number of threads can change according to commands from the attacker and can also alter them automatically – since Kovter is monitoring free memory and CPU usage. This helps the trojan not to overload the system and keep a low profile.

However, when the computer is idle, the malware may allocate more resources to its activities until further user activity is detected. When set in Kovter’s configuration it can also check whether the infected machine runs in a controlled or virtual environment and reports this fact to the attacker.

To deliver Kovter, the attackers behind the campaign use the Nemucod downloader disguised as an email ZIP attachment. Posing as a fake invoice, cybercriminals try to convince users to open it (unaware that it contains an infected executable JavaScript file).

This technique is used to avoid detection in some mail scanners and to reach as many victims as possible. If the user falls for the trap and executes the infected file – the Nemucod downloader – it downloads Kovter onto the machine and executes it.

Similar Nemucod campaigns have been around for quite some time. ESET warned the public of the threat in late December, 2015, and again in March, 2016. However, past waves primarily tried to download ransomware families, most frequently Locky or the now discontinued TeslaCrypt, instead of the current ad-clicking backdoor.

How can you avoid this threat?

  • If your e-mail client or server offers attachment blocking by extension, you may want to block emails sent with .EXE, *.BAT, *.CMD, *.SCR and *.JS. files attached
  • Make sure your operating system displays file extensions. This helps to identify the true type of a file in case of dual extension spoofing (e.g. “INVOICE.PDF.EXE” does not get displayed as “INVOICE.PDF”).
  • If you frequently and legitimately receive these files, check who the sender is and if there is anything suspicious, scan the message and its attachments with your security solution. ESET products will detect it as Win32/Kovter.

by Ondrej Kubovic, ESET


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s