Story image

A look at the evolution of the Nemucod malware

18 May 2017

Unit 42 researchers have uncovered details about how the slippery Nemucod malware has been able to avoid detection, and it’s all to do with weaponised documents and heavily obfuscated JavaScript.

The new wave of Nemucod downloader malware steals credentials by malspam phishing and a trojan. The stolen credentials are then used to masquerade as legitimate users.

According to the blog, ‘researchers pivoted on the Command and Control (C2) IPv4 address discovered during static analysis and deobfuscation, using their Threat Intelligence Service AutoFocus, unearthed many more versions of the malware and found that the versions seen to date were delivering a credential-stealing Trojan as the final payload’.

The malware has been tracking across various industry sectors in multiple countries, including Japan. It has been targeting various sectors including professional, utilities, high tech and healthcare. Due to the large presence of high tech companies in Japan, Nemucod targeted the region.

Most of the malware was delivered by email from Poland or was delivered using email addresses with Polish domain names. Recipient email addresses seemed valid when cross checked with names and LinkedIn credentials, the blog says.

The malware steals credentials from Windows Credential Cache, Windows Vault, browsers and email clients.

One of the most notable characteristics is the evolution of the dropper, which has switched between weaponised documents and executable files. Researchers suspect the attackers were testing some type of capability.

The weaponised documents themselves have undergone a large number of revisions - one particular document went through 192.

Attackers also used social engineering and fake Microsoft Word message screens to lure victims into running a fake message and downloading a malicious macro code.

“Quite often when weaponized documents like these are opened or enabled (“Enable Content” has been clicked) the effect is immediate – CPU spikes, ransom messages appear, network connections are made and so on,” the blog says.

“It may not be obvious that something untoward is happening but often hard drive noises, CPU fans or other indicators tell you otherwise. In this case however, the user could open the document safely, even click the “Enable Content” button and still remain safe and if no tell-tale signs of infection occur one might think all is well. Closing the document, or the Word application itself, however would trigger the infection routine by which point you may have felt a sense of relief nothing had happened. Short lived.”

Behind the scenes, the JavaScript payload was heavily obfuscated, using variable names that researchers say seem randomly generated. They also use Unicode and arithmetic to avoid signature-based detection.

Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Deakin Uni scores double win with Exabeam partnership
Australia’s Deakin University is partnering with SIEM security company Exabeam in an effort to boost the university’s cybersecurity degree program and strengthen its SIEM capabilities.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Voter vulnerabilities: Cybersecurity risks impact national elections
The outcome of elections have an enormous impact on the political and cultural landscape of any democratic society. 
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."