Nemucod Trojan Spreads Ransomware via Emails

Last week, a tsunami of spam emails in Australia, Japan, Europe, and North America has been reported. Next week it’s expected to be even bigger.

In Australia, the tsunami accounted for 33% of all malware detected, while in New Zealand, it reached 40%. Due to the fact that Australians are willing to pay to get rid of ransomware, during the past month these countries have consistently been the target of this threat.

This malware propagation campaign has been interesting because the detection rates have been unusually high. It has reached peaks as high as more than 30% in Australia and at one stage detection in Japan was above 75%, something not seen in malware spear phishing for a long time.

This malware was called Nemucod and it targets Windows x86 devices with ransomware. Microsoft has classified the threat as ‘severe’, though the good news is that most updated anti-virus programs already detect it.

The security researcher Evangelist Peter Staník says, “Nemucod is wide-spread via emails, which contain attached zipped files. Emails are written in a very trustworthy way, claiming to be invoices, notices of appearance in court or other official documents. Attackers encourage users to open the malicious attachment that contains a JavaScript file, which after it is opened, downloads and installs Nemucod to the victim’s PC.”

Presently, Nemucod downloads mainly ransomware payloads like TeslaCrypt or Locky, though it’s also known to run Miuref – a Trojan that can hijack your browser, direct you to visit unsafe Internet locations and display malvertising. Besides, it can expose you to other viruses, worms and key loggers which may allow hackers to steal data, log-in details, and use system resources for Bitcoin mining.

Currently, it is delivering both TeslaCrypt and Locky ransomware. Next week it could be other versions of malware.

Nemucod is not much different from the ‘rivers of liver and oceans of spam’ that Hawkeye Pearce complained about in M.A.S.H. The problem is that we receive it daily from a single specific purveyor of spam – one cyber-criminal responsible for 33% of malware emails last month. At the same time, hackers are getting smarter by using social engineering and incorporating more social media ‘insider’ information in the email to make you open it.

Similarly to other malware campaigns, the hackers use email as the attack vector. Posing as a fake invoice, they try to convince users into opening an attached ZIP file. Usually, the sender of the email is another user which has been affected previously, so the malware continues to propagate until it has possible victims.

The ZIP file has a Javascript .js file inside instead of a .exe. Cyber criminals use this technique to avoid detection in some mail scanners and reach as many victims as possible.

Be aware that Javascript file is as dangerous as an .exe file. For that reason, malware experts strongly advise users to check emails carefully and keep their anti-virus program up to date.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.