During the past few months, Nemucod malware has suffered some improvements which have made it even harder to detect while it’s performing its activity
Nemucod is a trojan which falls in the category of malware downloaders. The malware was discovered in March, last year. The only purpose of Nemucod is to be as lightweight as possible in order to attract little attention, to infect computers, and download another, more potent malware after that.
Actually, malware that are similar to Nemucod is practically everywhere, and you can hardly see complex malware like backdoor trojans, banking trojans, or ransomware, ever infect a PC directly anymore. Over the past months, Nemucod’s mode of operation was quite simple. A user would open a malicious file, it would get infected with Nemucod, it would access a URL, download the payload, and execute it directly.
According to ESET security experts, due to the fact that most antivirus companies have caught on to how most malware downloaders work these days, the creators of Nemucod decided that it was time for some modifications. In its latest versions, Nemucod uses a seven-step procedure to download the final payload, no matter if its Cerber, Locky, or something else.
As a first step, Nemucod selects a method through which to connect to its C&C servers that host the second-stage, more potent malware. Before Nemucod used only one method to connect online. Currently, it uses several, so if the first method is blocked by firewalls, it may have other avenues to reach its download locations.
As a second step, Nemucod selects one random download site from a list of hardcoded URLs. Before, Nemucod came with one download URL, which if it failed or authorities took it down, it would also render all Nemucod instances useless.
As a third step, Nemucod downloads the payload, which is currently obfuscated, and not just one simple EXE file. After that, the malware moves to deobfuscate the file.
The four step is a second deobfuscation round. Step five is a validity check of the downloaded file. In case the check fails, Nemucod goes back to step two and selects another download location.
The sixth step is a third deobfuscation round. Step seven is the final execution stage, which also features a twist. In its older versions, Nemucod executed the file directly. Presently, Nemucod creates a bat file, executes the bat file, which in turn contains instructions to start the second-stage malware payload.
“As you can see, the authors of Nemucod have been busy improving their downloader to increase the probability that it can run its malicious payload undetected,” the ESET experts said. “With all these new features, one can even speculate that they are working hard to improve their success rate in corporate environments, where proxy servers and UTM gateways may have been blocking their payloads in the past.“
