SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Breach Prevention
#
Cybersecurity
#
Firewall
A look at the evolution of the Nemucod malware
Thu, 18th May 2017
FYI, this story is more than a year old
Author image
By Sara Barker, Copywriter and Senior News Editor
Follow us

Unit 42 researchers have uncovered details about how the slippery Nemucod malware has been able to avoid detection, and it's all to do with weaponised documents and heavily obfuscated JavaScript.

The new wave of Nemucod downloader malware steals credentials by malspam phishing and a trojan. The stolen credentials are then used to masquerade as legitimate users.

According to the blog, ‘researchers pivoted on the Command and Control (C2) IPv4 address discovered during static analysis and deobfuscation, using their Threat Intelligence Service AutoFocus, unearthed many more versions of the malware and found that the versions seen to date were delivering a credential-stealing Trojan as the final payload'.

The malware has been tracking across various industry sectors in multiple countries, including Japan. It has been targeting various sectors including professional, utilities, high tech and healthcare. Due to the large presence of high tech companies in Japan, Nemucod targeted the region.

Most of the malware was delivered by email from Poland or was delivered using email addresses with Polish domain names. Recipient email addresses seemed valid when cross checked with names and LinkedIn credentials, the blog says.

The malware steals credentials from Windows Credential Cache, Windows Vault, browsers and email clients.

One of the most notable characteristics is the evolution of the dropper, which has switched between weaponised documents and executable files. Researchers suspect the attackers were testing some type of capability.

The weaponised documents themselves have undergone a large number of revisions - one particular document went through 192.

Attackers also used social engineering and fake Microsoft Word message screens to lure victims into running a fake message and downloading a malicious macro code.

“Quite often when weaponized documents like these are opened or enabled (“Enable Content” has been clicked) the effect is immediate – CPU spikes, ransom messages appear, network connections are made and so on,” the blog says.

“It may not be obvious that something untoward is happening but often hard drive noises, CPU fans or other indicators tell you otherwise. In this case however, the user could open the document safely, even click the “Enable Content” button and still remain safe and if no tell-tale signs of infection occur one might think all is well. Closing the document, or the Word application itself, however would trigger the infection routine by which point you may have felt a sense of relief nothing had happened. Short lived.

Behind the scenes, the JavaScript payload was heavily obfuscated, using variable names that researchers say seem randomly generated. They also use Unicode and arithmetic to avoid signature-based detection.

Related stories
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
RiverSafe teams up with Cribl to boost IT & data security services
Half of online traffic in 2024 generated by bots, report finds
Axis unveils hybrid cloud platform for adaptable security solutions
Keeper Security launches user-friendly passphrase generator
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
Secolve & Asimily join forces to boost Australia's IoT security
Armis warns of major cyber-attack risk to 2024 global elections
i-PRO to support Genetec SaaS with new AI-enabled camera models