SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

A look at the evolution of the Nemucod malware

Thu, 18th May 2017
FYI, this story is more than a year old

Unit 42 researchers have uncovered details about how the slippery Nemucod malware has been able to avoid detection, and it's all to do with weaponised documents and heavily obfuscated JavaScript.

The new wave of Nemucod downloader malware steals credentials by malspam phishing and a trojan. The stolen credentials are then used to masquerade as legitimate users.

According to the blog, 'researchers pivoted on the Command and Control (C2) IPv4 address discovered during static analysis and deobfuscation, using their Threat Intelligence Service AutoFocus, unearthed many more versions of the malware and found that the versions seen to date were delivering a credential-stealing Trojan as the final payload'.

The malware has been tracking across various industry sectors in multiple countries, including Japan. It has been targeting various sectors including professional, utilities, high tech and healthcare. Due to the large presence of high tech companies in Japan, Nemucod targeted the region.

Most of the malware was delivered by email from Poland or was delivered using email addresses with Polish domain names. Recipient email addresses seemed valid when cross checked with names and LinkedIn credentials, the blog says.

The malware steals credentials from Windows Credential Cache, Windows Vault, browsers and email clients.

One of the most notable characteristics is the evolution of the dropper, which has switched between weaponised documents and executable files. Researchers suspect the attackers were testing some type of capability.

The weaponised documents themselves have undergone a large number of revisions - one particular document went through 192.

Attackers also used social engineering and fake Microsoft Word message screens to lure victims into running a fake message and downloading a malicious macro code.

"Quite often when weaponized documents like these are opened or enabled ("Enable Content" has been clicked) the effect is immediate – CPU spikes, ransom messages appear, network connections are made and so on," the blog says.

"It may not be obvious that something untoward is happening but often hard drive noises, CPU fans or other indicators tell you otherwise. In this case however, the user could open the document safely, even click the "Enable Content" button and still remain safe and if no tell-tale signs of infection occur one might think all is well. Closing the document, or the Word application itself, however would trigger the infection routine by which point you may have felt a sense of relief nothing had happened. Short lived.

Behind the scenes, the JavaScript payload was heavily obfuscated, using variable names that researchers say seem randomly generated. They also use Unicode and arithmetic to avoid signature-based detection.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X