Nemucod, a Trojan downloader, has been terrorizing users since December 2015. The Nemucod variant examined by our Threat Research team is delivered through malicious email (malspam) campaigns. Targets receive an email containing a Zip archive (.zip) attachment, which appears to come from a trustworthy sender.
In the context of an overall attack chain, Nemucod plays a limited, but critical, role in the overall compromise of a system or environment. As a malware dropper, it is a purpose-built piece of code with a singular objective: to execute a payload without being detected. The payload is interchangeable, making droppers a prime candidate for re-use across multiple malware campaigns or even groups of actors. In the vast majority of cases, a dropper like Nemucod is used conjunction with a user-driven Initial Access technique (e.g. file attachment, download link). The complexity of droppers comes from the obfuscation introduced to stymie static analysis of the code and may include logic to restrict the conditions that the dropper will execute to make dynamic analysis more difficult.
The techniques demonstrated in Nemucod are well-known, effective, and are still in use today. Given the damage caused by the types of malware Nemucod is commonly used to deliver, the message is clear: Breaking the attack chain as early as possible is key. Stop the dropper, stop the infection.
The following is a brief timeline of Nemucod malspam campaigns:
The Nemucod attack typically starts with a malicious zip archive file attached to an email. In one case, an email came from a French address on March 28, 2016 at 16:54. The message read:
Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants:
Message de sécurité
In English, this roughly translates to:
Your message is ready to send with the following files or links joined:
Figure 1: Extracted Zip archive containing the malicious Downloader script
Line 53 contains obfuscated code which pieces together a URL for downloading an executable file called 765f46vb.exe (Figure 3).
Figure 3: Building the download URL
Figure 4: Connecting to 126.96.36.199 and being redirected
Figure 5: Full packet capture request for 765f46vb.exe
A search for the payload on VirusTotal reveals two hashes. Our test case uses the 697CE53503DC8F28B6F9603563181F33D7EF840E8993313D15D5DC4914BFDB31 payload. Further analysis demonstrates various configurations of the version and the Command & Control (C2) servers (Figure 6).
Figure 6: Hard-coded IP addresses for the Locky C2 servers
This payload is one of the earliest identified versions of Locky, dating back to February 2016. While new versions of Locky create various extensions during encryption, this version appends .locky to the target files. Once all important files are encrypted, a ransom note, similar to the following, is displayed in the default browser and as an image on screen (Figure 7).
Figure 7: Locky compromise note
Nemucod has been used in several malspam campaigns over the years, a testament to its efficacy. It is capable of delivering a number of devastating malware payloads ranging from ransomware to backdoors. The prolific use of Nemucod as a go-to delivery Trojan for other malware makes this threat a concern for security organizations worldwide.
Users of CylancePROTECT® will be happy to hear that we detect and prevent Nemucod before it executes (Figure 8). By preventing Nemucod from delivering its malware payload, we spare our customers the costs and reputational damage caused by system breaches.
Figure 8: CylancePROTECT blocks Nemucod