New malware campaign spreads backdoors instead of ransomware

Trojan Horse
Trojan Horse

One of the most active Trojans this year has changed tactics and now installing backdoors on target machines instead of ransomware.

Nemucod was used in several large campaigns in 2016, having reached a 24 per cent share on global malware detections in March this year, according to the firm. In the past, Nemucod payloads were primarily ransomware families, most frequently Locky or the now-discontinued TeslaCrypt. But now it has changed to serve up a backdoor.

According to security researchers at ESET, the backdoor detected is Kovtar. As a backdoor, this Trojan allows the attacker to control machines remotely without the victim's consent or knowledge. Researchers said the variant analysed has been enhanced by ad-clicking capability delivered via an embedded browser. The Trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads. The number of threads can change, according to commands from the attacker but can also alter them automatically since Kovter monitors the computers' performance level. If the computer is idle, the malware may allocate more resources to its activities until further user activity is detected.

The current version spreads Kovter as an email ZIP attachment pretending to be an invoice and containing an infected executable JavaScript file. In a blog post, security researcher Ondrej Kubovic said that if  the user “falls for the trap and executes the infected file – the Nemucod downloader – it downloads Kovter onto the machine and executes it.”

Mark James, security specialist at ESET, told SCMagazineUK.com that from a business perspective it's quite a concern for a number of reasons.

“Keeping your business safe these days is not as simple as installing a program and waiting for it to tell you there's a problem. Multi-layered security needs to be constantly monitored and adapted to combat modern day threats, any of the characteristics of Kovter could prove fatal for your business so making sure you're protected should be of paramount importance,” he said.

James added that organisations should make sure that operating systems and applications are up to date and patched to the current levels to help to keep users safer generally for any type of malware.

“Having a good understanding of how it is delivered and what it looks like is a good start, blocking or quarantining attachments that contain certain extensions like BAT, CMD, EXE, SCR or JS will enable you to review any potentially infected emails before they arrive at the users fingertips,” he added.

Paul Ducklin, senior technologist at Sophos, told SC that backdoor Trojans are, in many ways, much worse than ransomware. “With proper backup, you can recover from ransomware without paying. Even without backup, there's usually a chance to get yourself out of trouble by sending US$ 500 £385 to the crooks, for all that it hurts your heart to do so,” he said.

“On the other hand, you can't ever fully recover from having had crooks in your network for days, weeks, maybe even months.”

Jonathan Martin, Anomali EMEA operations director, told SC that more and more we're seeing malware that uses automatically generated domains for its command and control sites.

This means that monitoring or blocking semi-static lists of known bad sites is becoming less effective as these domains only live for a short period of time - maybe only a few hours. So, we need to have a way of deciding whether traffic going to a specific site is worth investigating or not,” he said.

“This is not an exact science however; many tools, both commercial and open-source, can only act as inputs into the decision making process that has to be carried out. Organisations will still need to rely on highly-skilled analysts to make those decisions and to reduce the amount of wasted time investigating potential false positives.”