Evil twins NemucodAES and Kovter spreading in joint malware campaign

News by Rene Millman

Ransomware teams up with click-fraud malware in double whammy combining NemucodeAES and Kovter to hit victims unawares.

Two types of malware, NemucodAES and Kovter, have been bundled together by hackers in email attachments and sent to victims via a spam campaign, according to a security researcher.

Brad Duncan, writing on the Sans ISC InfoSec Forums blog, said that over the last two weeks he had noticed a significant increase in malicious spam (malspam) with attached zip archives disguised as delivery notices from the United Parcel Service (UPS). These zip archives contain JavaScript files designed to download and install NemucodAES ransomware and Kovter malware on a victim's Windows computer.

He said that while malspam with zip archives containing JavaScript files are easy for most organisations to detect, an ongoing concern here is that the Nemucod ransomware currently pushed by this malspam is a new variant called NemucodAES. This new variant is written in JavaScript and PHP and uses AES and RSA to encrypt a victim's files.

“Kovter is an older malware, but it's also an ongoing concern.  Together, these two pieces of malware could deliver a nasty punch,” he said.

In the latest campaign, when the zip file is opened, a JavaScript file is extracted.

“Network traffic was typical for an infection by one of the .js files.  We first see HTTP requests for the NemucodAES JavaScript, followed by requests for various executables.  Then we see the post-infection Kovter traffic.  NemucodAES doesn't generate any traffic on its own,” said Duncan.

He added that the infected windows host opened a notification with the decryption instructions. Encrypted files retained their original file names (no added file extensions as we often see with other ransomware). 

Duncan said he found found artifacts in the user's AppData\Local and AppData\Local\Temp directories.

“Some of these files are not inherently malicious.  A legitimate PHP executable and DLL file were found in user's AppData\Local\Temp directory, along with the NemucodAES decryption instructions (an .hta file) and a Windows desktop background for the ransomware (a .bmp file),” said Duncan.

The ransom note demands 0.63778 Bitcoins in order to release the files. Duncan said that saw a “lot of post-infection events for Kovter command and control traffic. But I'm not certain click-fraud is involved anymore.”

Duncan said that with proper filtering, these emails are easily blocked.  With proper network monitoring, traffic from an infection is easily detected. 

“But some of these messages might slip past your filtering, and some people could possibly get infected.  With the NemucodAES decryptor, people can recover their files, but I expect this ransomware will continue to evolve,” he warned.

Andy Norton, risk officer  EMEA at SentinelOne, told SC Media UK that the two malwares are being packaged together as they offer the cyber-criminal gang different ways of making money.

“Nemucod tries to extract a Ransom, and Kovter has been associated with clickfraud and downloading other malware payloads,” he said.

“The benefit is that the Nemucod JavaScript ransomware payload is very visible and is the sole focus of the victim. If that ransomware payload is unencrypted with an available decryption security tool and then removed, the user will assume the computer is now restored, however, the Kovter, silent threat will remain further exposing the victim to future harm.”

He added that organisations can implement a threat agnostic defence that does not have bias in protection levels towards EXE based attacks, commenting, “Using behaviour modelling is the best way to reform the existing endlessly unsuccessful cat and mouse approach to enterprise security.”

Paul Ducklin, senior technologist at Sophos, told SC Media UK that malware is often seen hunting in pairs.

"If you think about it, ransomware is an ideal 'cover story' for more insidious malware variants such as keyloggers, bots and RATs (remote access Trojans). Ransomware is right-in-your-face; it advertises its presence even to the point of changing your wallpaper; and it demands immediate attention because it stops you getting on with your work. By the time you've dealt with it, you might be disinclined to dig any further to look for additional malware that isn't obvious at all,” he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews