Last week, a tsunami of spam emails in Australia, Japan, Europe, and North America has been reported. Next week it’s expected to be even bigger.
In Australia, the tsunami accounted for 33% of all malware detected, while in New Zealand, it reached 40%. Due to the fact that Australians are willing to pay to get rid of ransomware, during the past month these countries have consistently been the target of this threat.
This malware propagation campaign has been interesting because the detection rates have been unusually high. It has reached peaks as high as more than 30% in Australia and at one stage detection in Japan was above 75%, something not seen in malware spear phishing for a long time.
This malware was called Nemucod and it targets Windows x86 devices with ransomware. Microsoft has classified the threat as ‘severe’, though the good news is that most updated anti-virus programs already detect it.
Presently, Nemucod downloads mainly ransomware payloads like TeslaCrypt or Locky, though it’s also known to run Miuref – a Trojan that can hijack your browser, direct you to visit unsafe Internet locations and display malvertising. Besides, it can expose you to other viruses, worms and key loggers which may allow hackers to steal data, log-in details, and use system resources for Bitcoin mining.
Currently, it is delivering both TeslaCrypt and Locky ransomware. Next week it could be other versions of malware.
Nemucod is not much different from the ‘rivers of liver and oceans of spam’ that Hawkeye Pearce complained about in M.A.S.H. The problem is that we receive it daily from a single specific purveyor of spam – one cyber-criminal responsible for 33% of malware emails last month. At the same time, hackers are getting smarter by using social engineering and incorporating more social media ‘insider’ information in the email to make you open it.
Similarly to other malware campaigns, the hackers use email as the attack vector. Posing as a fake invoice, they try to convince users into opening an attached ZIP file. Usually, the sender of the email is another user which has been affected previously, so the malware continues to propagate until it has possible victims.