Story image

A look at the evolution of the Nemucod malware

18 May 17

Unit 42 researchers have uncovered details about how the slippery Nemucod malware has been able to avoid detection, and it’s all to do with weaponised documents and heavily obfuscated JavaScript.

The new wave of Nemucod downloader malware steals credentials by malspam phishing and a trojan. The stolen credentials are then used to masquerade as legitimate users.

According to the blog, ‘researchers pivoted on the Command and Control (C2) IPv4 address discovered during static analysis and deobfuscation, using their Threat Intelligence Service AutoFocus, unearthed many more versions of the malware and found that the versions seen to date were delivering a credential-stealing Trojan as the final payload’.

The malware has been tracking across various industry sectors in multiple countries, including Japan. It has been targeting various sectors including professional, utilities, high tech and healthcare. Due to the large presence of high tech companies in Japan, Nemucod targeted the region.

Most of the malware was delivered by email from Poland or was delivered using email addresses with Polish domain names. Recipient email addresses seemed valid when cross checked with names and LinkedIn credentials, the blog says.

The malware steals credentials from Windows Credential Cache, Windows Vault, browsers and email clients.

One of the most notable characteristics is the evolution of the dropper, which has switched between weaponised documents and executable files. Researchers suspect the attackers were testing some type of capability.

The weaponised documents themselves have undergone a large number of revisions - one particular document went through 192.

Attackers also used social engineering and fake Microsoft Word message screens to lure victims into running a fake message and downloading a malicious macro code.

“Quite often when weaponized documents like these are opened or enabled (“Enable Content” has been clicked) the effect is immediate – CPU spikes, ransom messages appear, network connections are made and so on,” the blog says.

“It may not be obvious that something untoward is happening but often hard drive noises, CPU fans or other indicators tell you otherwise. In this case however, the user could open the document safely, even click the “Enable Content” button and still remain safe and if no tell-tale signs of infection occur one might think all is well. Closing the document, or the Word application itself, however would trigger the infection routine by which point you may have felt a sense of relief nothing had happened. Short lived.”

Behind the scenes, the JavaScript payload was heavily obfuscated, using variable names that researchers say seem randomly generated. They also use Unicode and arithmetic to avoid signature-based detection.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.