NemucodAES and the malspam that distributes it, (Fri, Jul 14th)

Introduction

During the past two weeks or so, Ive noticed a significant increase in malicious spam (malspam) with attached zip archives disguised as delivery notices from the United Parcel Service (UPS). These zip archives contain JavaScript files designed to download and install NemucodAES ransomware and Kovter malware on a victims Windows computer. My Online Security reported on this recent wave of malspam late last month, and it border-width:2px” />
Shown above: Example of an email from Thursday 2017-07-13.

Malspam with zip archives containing JavaScript files are easy for most organizations to detect. Yesterday, I visited one such organization, where someone showed me several of these messages blocked by mail filters and identified as malware. But most people have more pressing concerns. Investigating blocked emails is pretty low on their list of priorities.

However, this is an ongoing concern, and the Nemucod ransomware currently pushed by this malspam is a new variant called NemucodAES. According to BleepingComputer, different researchers have identified and tracked this new variant. A decryptor for NemucodAES is currently available from Emisoft.

Kovter is an older malware, but its also an ongoing concern. Together, these two pieces of malware could deliver a nasty punch. This diary reviews some emails and traffic from recent malspam pushing Kovter and NemucodAES.

History of Nemucod

Nemucod is a term for text-based script (usually a JavaScript file) that downloads and installs malware. By the last quarter of 2015, the term Nemucod was used by several security vendors to identify JavaScript-based Trojan downloaders. In several cases, Nemucod downloaded and installed ransomware binaries like TeslaCrypt. By March 2016, we started seeing reports of Nemucod ransomware that stopped downloading ransomware binaries in favor of using its own script-based ransomware component.

And now in July 2017, we see the next phase of Nemucod ransomware: NemucodAES. Emisoft states this new variant is written in JavaScript and PHP. It uses AES and RSA to encrypt a victims files.

History of Kovter

In 2013, Kovter acted as police ransomware that waited on a users Windows host waiting for specific types of events to happen. An example? After getting infected with Kovter, if a victim started a file-sharing application, Kovter would generate a popup message stating he or she violated the law. Then the infected host would demand the victim pay a fine.

By 2014, we started seeing Kovter identified as click-fraud malware. Click-fraud is when a person, computer program, or automated script generates network traffic by contacting numerous websites (or the same website numerous times). This simulates people clicking a web page or online advertisement. Advertisers are paid based on how many people click on their ads. Regular websites can charge more for ads based on how many people view the site. border-width:2px” />
Shown above: Example of click-fraud traffic caused by non-Kovter malware in May 2016, filtered in Wireshark.

By 2015, Kovter started hiding in the Windows registry to avoid detection. Kovters persistence in an infected Windows host consists of various elements. The end result? The initial executable deletes itself after infecting the Windows host, and Kovter effectively becomes a fileless infection.

Kovter hasnt changed much since I started documenting it in 2016. Post-infection traffic is remarkably similar from a sample I collected in January 2016 to the one from July 2017 discussed in this diary. I see a lot of post-infection events for Kovter command and control traffic. But I border-width:2px” />
Shown above: border-width:2px” />
Shown above: Kovter post-infection traffic from July 2017 filtered in Wireshark.

Kovter/NemucodAES malspam from July 2017

As mentioned earlier, this malspam has appeared daily during the past two weeks or so. I collected three for this diary:

  • Date/Time: Tuesday 2017-07-11 at 21:39 UTC
  • From: [email protected]
  • Subject: Status of your UPS delivery ID:008850576
  • Attachment: 008850576.zip
  • Date/Time: Wednesday 2017-07-12 at 23:26 UTC
  • From: [email protected]
  • Subject: Problems with item delivery, n.5268714
  • Attachment: UPS-Package-5268714.zip
  • Date/Time: Thursday 2017-07-13 at 07:18 UTC
  • From: [email protected]
  • Subject: UPS parcel #08192149 delivery problem
  • Attachment: border-width:2px” />
    Shown above: Example of a malicious zip attachment and extracted .js file.

    Infection traffic

    Network traffic was typical for an infection by one of the .js files. We first see HTTP requests for the NemucodAES JavaScript, followed by requests for various executables. Then we see the post-infection Kovter traffic. NemucodAES doesn border-width:2px” />
    Shown above: border-width:2px” />
    Shown above: border-width:2px” />
    Shown above: Using Sguil, but we can escalate the Kovter alerts and review them individually.

    The infected Windows host

    The infected windows host opened a notification with the decryption instructions. Encrypted files retained their original file names (no added file extensions as we often see with other ransomware). And I found artifacts in the users AppDataLocal and AppDataLocalTemp directories. Some of these files are not inherently malicious. A legitimate PHP executable and DLL file were found in user border-width:2px” />
    Shown above: border-width:2px” />
    Shown above: border-width:2px” />
    Shown above: Artifacts from the user border-width:2px” />
    Shown above: Artifacts from a folder in the users AppDataLocal directory.

    Indicators of Compromise (IOCs)

    The following IOCs are associated with the emails and infection on Thursday 2017-07-13:

    Attached zip archives:

    Extracted .js files:

    Kovter executable (deletes itself after infection):

    Domains used in the .js files and NemucodAES decryption instructions:

    • anahata2011.ru – GET /counter [followed by long string of characters]
    • b2stomatologia.pl – GET /counter [followed by long string of characters]
    • bandanamedia.com – GET /counter [followed by long string of characters]
    • chatawzieleni.pl – GET /counter [followed by long string of characters]
    • connexion-zen.com – GET /counter [followed by long string of characters]
    • dilaratahincioglu.com – GET /counter [followed by long string of characters]
    • ekokond.ru – GET /counter [followed by long string of characters]
    • emsp.ru – GET /counter [followed by long string of characters]
    • infermierifktmatuziani.org – GET /counter [followed by long string of characters]
    • infosoft.pl – GET /counter [followed by long string of characters]
    • ionios-sa.gr – GET /counter [followed by long string of characters]
    • it.support4u.pl – GET /counter [followed by long string of characters]
    • jesionowa-dental.pl – GET /counter [followed by long string of characters]
    • ongediertebestrijding.midholland.nl – GET /counter [followed by long string of characters]
    • serdcezemli.ru – GET /counter [followed by long string of characters]
    • snw.snellewieken.nl – GET /counter [followed by long string of characters]
    • www.shiashop.com – GET /counter [followed by long string of characters]

    Kovter post-infection traffic:

    • 24.96.108.157 port 80 – 24.96.108.157 – POST /
    • 61.134.39.188 port 80 – 61.134.39.188 – POST /
    • 133.30.115.97 port 80 – 133.30.115.97 – POST /
    • 135.175.22.211 port 80 – 135.175.22.211 – POST /
    • Various IPs over port 80, 443, and 8080 – Encrypted traffic

    Final words

    Traffic and artifacts from this infection can be found here.

    As mentioned earlier, with proper filtering, these emails are easily blocked. With proper network monitoring, traffic from an infection is easily detected. But some of these messages might slip past your filtering, and some people could possibly get infected. With the NemucodAES decryptor, people can recover their files, but I expect this ransomware will continue to evolve.

    Has one of these messages hit your inbox? If so, please share your story in the comments section.


    Brad Duncan
    brad [at] malware-traffic-analysis.net

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.