Blog

Quick Heal Security Labs
NemucodAES malspam is back and this time it brought along Kovter Trojan
July 21, 2017

For the last few weeks, we have been observing a new malicious spam (malspam) variant that is spreading via an email claiming to be from the United Parcel Service (UPS) carriages. The email carries a zip attachment that contains NemucodAES Ransomware and fileless Kovter Trojan.

Earlier, such malspam campaigns were delivering Cerber Ransomware and Kovter Trojan.

Attack Methodology

Step1 – The user receives a spam email with a malicious zip that contains a JavaScript file.

nemucod1

Fig 1. Spam email

Spam emails sent in this campaign usually contain the below subject lines and attachment names to trick the user into opening the email.

 

Subject Lines Attachment Names
***INFECTED*** Problems with item delivery n.004640147 UPS-Package-004640147.zip
***INFECTED*** Problems with item delivery n.001656569 UPS-Label-001656569.zip
Parcel ID004692898 delivery problems please review UPS-Receipt-004692898.zip
We could not deliver your parcel #004522553 UPS-Delivery-004522553.zip
Our UPS courier can not contact you (parcel #008284689) UPS-Parcel-ID-008284689.zip
Notification status of your delivery (UPS 5952930) UPS-Delivery-Details-5952930.zip
Notification status of your delivery (UPS 001387092) UPS-Package-001387092.zip

 

Step2 – JavaScript execution

The JavaScript file has a long variable which is used to download “counter.js” files from compromised websites. This “counter.js” is responsible for switching into embedded PHP and download its PHP interpreter files which are, in turn, responsible for encryption.

 

Fig 2. Malicious JavaScript

Fig 2. Malicious JavaScript

 

Fig3: Dropped files at %temp% location

Fig 3: Dropped files at %temp% location

After execution, files are encrypted without any extensions or name change. For encryption, a mix of AES-128 in ECB mode and RSA encryption algorithms are used in order to make the decryption of files more difficult.

After encryption, the below ransom note is displayed.

Fig 4. Ransom note

Fig 4. Ransom note

Along with with Nemucod Ransomware, the user’s computer is infected with the Kovter fileless malware. Kovter hides in the Windows registry which is used in campaigns that generate fraudulent clicks on online ads to make money for the attacker.

Fig 5. Kovter registry entry

Fig 5. Kovter registry entry

How Quick Heal helps

1. Quick heal Email Protection successfully blocks such malicious attachments even before they infect the system.

Fig 6. Quick Heal Email Protection

Fig 6. Quick Heal Email Protection

2. Quick Heal Virus Protection successfully detects and deletes the malicious script file used in the attack.

Fig 7. Quick Heal Web Security

Fig 7. Quick Heal Virus Protectio

3. The below graph shows the trend of the spam emails we received from 1st to 16th July 2017.

Fig 8

Fig 8

Security Tips

  1. Do not click on links or open attachments received in unexpected and unknown emails
  2. Do not open files with double extensions (e.g. doc.js, wsf.js, etc.)
  3. Avoid clicking on pop-up ads, especially those that talk about unbelievable offers
  4. Avoid visiting less-popular websites
  5. Keep your computer’s Operating System and software such as Adobe, Java, Internet browser, etc., patched and up-to-date

 

Acknowledgment

  • Subject Matter Expert
    Prashant Tilekar, Swati Gaikwad | Quick Heal Security Labs

SHARE THIS STORY

Have something to add to this story? Share it in the comments.

Quick Heal Security Labs
About Quick Heal Security Labs
Quick Heal Security Labs is a leading source of threat research, threat intelligence, and cybersecurity. It analyzes data fetched from millions of Quick Heal...
Articles by Quick Heal Security Labs »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image