However, this is an ongoing concern, and the Nemucod ransomware currently pushed by this malspam is a new variant called NemucodAES. According to BleepingComputer, different researchers have identified and tracked this new variant. A decryptor for NemucodAES is currently available from Emisoft.
Kovter is an older malware, but it's also an ongoing concern. Together, these two pieces of malware could deliver a nasty punch. This diary reviews some emails and traffic from recent malspam pushing Kovter and NemucodAES.
History of Nemucod
History of Kovter
In 2013, Kovter acted as police ransomware that waited on a user's Windows host waiting for specific types of events to happen. An example? After getting infected with Kovter, if a victim started a file-sharing application, Kovter would generate a popup message stating he or she violated the law. Then the infected host would demand the victim pay a fine.
By 2014, we started seeing Kovter identified as click-fraud malware. Click-fraud is when a person, computer program, or automated script generates network traffic by contacting numerous websites (or the same website numerous times). This simulates people clicking a web page or online advertisement. Advertisers are paid based on how many people click on their ads. Regular websites can charge more for ads based on how many people view the site. Click-fraud malware generates fake network traffic so people can charge more for web-based ads or content.
By 2015, Kovter started hiding in the Windows registry to avoid detection. Kovter's persistence in an infected Windows host consists of various elements. The end result? The initial executable deletes itself after infecting the Windows host, and Kovter effectively becomes a "fileless" infection.
Kovter hasn't changed much since I started documenting it in 2016. Post-infection traffic is remarkably similar from a sample I collected in January 2016 to the one from July 2017 discussed in this diary. I see a lot of post-infection events for Kovter command and control traffic. But I'm not certain click-fraud is involved any more.
Kovter/NemucodAES malspam from July 2017
As mentioned earlier, this malspam has appeared daily during the past two weeks or so. I collected three for this diary:
The infected Windows host
The infected windows host opened a notification with the decryption instructions. Encrypted files retained their original file names (no added file extensions as we often see with other ransomware). And I found artifacts in the user's AppData\Local and AppData\Local\Temp directories. Some of these files are not inherently malicious. A legitimate PHP executable and DLL file were found in user's AppData\Local\Temp directory, along with the NemucodAES decryption instructions (an .hta file) and a Windows desktop background for the ransomware (a .bmp file).
Indicators of Compromise (IOCs)
The following IOCs are associated with the emails and infection on Thursday 2017-07-13:
Attached zip archives:
Extracted .js files:
Kovter executable (deletes itself after infection):
Domains used in the .js files and NemucodAES decryption instructions:
Kovter post-infection traffic:
Traffic and artifacts from this infection can be found here.
As mentioned earlier, with proper filtering, these emails are easily blocked. With proper network monitoring, traffic from an infection is easily detected. But some of these messages might slip past your filtering, and some people could possibly get infected. With the NemucodAES decryptor, people can recover their files, but I expect this ransomware will continue to evolve.
Has one of these messages hit your inbox? If so, please share your story in the comments section.
Jul 14th 2017
9 months ago
Those guys are either not in a hurry to get their cash, or quite ignorant of bitcoin.
The instructions don't allow for any transfer fees, so it can be hours but also weeks before the transaction is confirmed.
Jul 15th 2017
9 months ago