sb-nz logo
Story image

A look at the evolution of the Nemucod malware

18 May 2017

Unit 42 researchers have uncovered details about how the slippery Nemucod malware has been able to avoid detection, and it’s all to do with weaponised documents and heavily obfuscated JavaScript.

The new wave of Nemucod downloader malware steals credentials by malspam phishing and a trojan. The stolen credentials are then used to masquerade as legitimate users.

According to the blog, ‘researchers pivoted on the Command and Control (C2) IPv4 address discovered during static analysis and deobfuscation, using their Threat Intelligence Service AutoFocus, unearthed many more versions of the malware and found that the versions seen to date were delivering a credential-stealing Trojan as the final payload’.

The malware has been tracking across various industry sectors in multiple countries, including Japan. It has been targeting various sectors including professional, utilities, high tech and healthcare. Due to the large presence of high tech companies in Japan, Nemucod targeted the region.

Most of the malware was delivered by email from Poland or was delivered using email addresses with Polish domain names. Recipient email addresses seemed valid when cross checked with names and LinkedIn credentials, the blog says.

The malware steals credentials from Windows Credential Cache, Windows Vault, browsers and email clients.

One of the most notable characteristics is the evolution of the dropper, which has switched between weaponised documents and executable files. Researchers suspect the attackers were testing some type of capability.

The weaponised documents themselves have undergone a large number of revisions - one particular document went through 192.

Attackers also used social engineering and fake Microsoft Word message screens to lure victims into running a fake message and downloading a malicious macro code.

“Quite often when weaponized documents like these are opened or enabled (“Enable Content” has been clicked) the effect is immediate – CPU spikes, ransom messages appear, network connections are made and so on,” the blog says.

“It may not be obvious that something untoward is happening but often hard drive noises, CPU fans or other indicators tell you otherwise. In this case however, the user could open the document safely, even click the “Enable Content” button and still remain safe and if no tell-tale signs of infection occur one might think all is well. Closing the document, or the Word application itself, however would trigger the infection routine by which point you may have felt a sense of relief nothing had happened. Short lived.”

Behind the scenes, the JavaScript payload was heavily obfuscated, using variable names that researchers say seem randomly generated. They also use Unicode and arithmetic to avoid signature-based detection.

Story image
Palo Alto Networks extends cloud native security platform with new modules
Palo Alto Networks has announced the availability of Prisma Cloud 2.0, including four new cloud security modules, thus extending its Cloud Native Security Platform (CNSP). More
Story image
Video: 10 Minute IT Jams – A glimpse inside a ransomware cell
This is our second IT Jam with SonicWall senior manager of product marketing Brook Chelmo, and in this video Brook walks us through his one-on-one experience with a member of a ransomware cell. More
Story image
Cybersecurity market continues meteoric ascent
With the increase in cyberattacks, organisations are continuing to spend more money on security. However, without a focused cybersecurity strategy, they often spend it in the wrong areas.More
Story image
Video: 10 Minute IT Jams - Who is LogRhythm?
LogRhythm VP of sales for Asia Pacific Simon Howe, who discusses the company's primary offerings and services, what products the company is focused on for the future, and the infrastructure it has in the A/NZ market.More
Story image
Secureworks: Remote working exposes new security vulnerabilities
New vulnerabilities have been exposed as IT teams across the world respond to the ongoing COVID-19 pandemic.More
Story image
Why IT and HR must work together to help businesses weather the storm
Employers are striving to balance team productivity, security and employee engagement. If remote work is the new norm, it’s impossible to ignore the challenging nature of the situation, writes Gigamon manager for A/NZ George Tsoukas.More