Two malware families, NemucodAES and Kovter, are being packaged together in .zip attachments and delivered via active spam campaigns. Researcher Brad Duncan said, “together these two pieces of malware could deliver a nasty punch.”
Duncan, a handler at the SANS Institute Internet Storm Center, said that during the past two weeks he has noticed a significant increase in malicious spam delivering .zip archives with JavaScript files designed to download and install NemucodAES ransomware and Kovter click-fraud malware on a victim’s Windows PC.
NemucodAES is a variant of the Nemucod Trojan downloader, best known for being used in a wave of 2016 campaigns distributing Locky and TeslaCrypt ransomware. “By March 2016, we started seeing reports of ‘Nemucod ransomware’ that stopped downloading ransomware binaries in favor of using its own script-based ransomware component,” Duncan wrote in a SANS Institute Internet Storm Center posted Friday.
That variant is now being called NemucodAES. Since being identified, a decryptor exists to neutralize the ransomware threat.
Kovter click-fraud is malware known for being tricky to detect and hard to remove because of its fileless design after infection, according to Microsoft. Not only can it perpetrate click-fraud, but can also steal personal information, download additional malware, or give a hacker access to your PC.
Spam campaigns deliver the malicious .zip archives disguised as notices from the United Parcel Service. Attacks were first reported last month by U.K. security firm My Online Security and have been consistent since then, Duncan said.
“Malspam with Zip archives containing JavaScript files are easy for most organizations to detect… But some of these messages might slip past your filtering, and some people could possibly get infected. With the NemucodAES decryptor, people can recover their files, but I expect this ransomware will continue to evolve,” Duncan wrote.
This is not the first time Kovter has been bundled with ransomware. In February, researchers at Microsoft’s Malware Protection Center spotted malicious email campaigns using .lnk attachments to spread Locky ransomware and Kovter. An .lnk file is a shortcut that points to an executable file.
In this most recent NemucodAES and Kovter campaign, when malicious .zip archives are unpacked, a JavaScript file is extracted.
“Network traffic was typical for an infection by one of the .js files. We first see HTTP requests for the NemucodAES JavaScript, followed by requests for various executables. Then we see the post-infection Kovter traffic. NemucodAES doesn’t generate any traffic on its own,” according the research report.
Files encrypted by NemucodAES retain their original file names. Delivered to the victim’s PC in their “AppData\Local\Temp” directory are the NemucodAES decryption instructions (via an .hta file) and the Windows desktop background (a .bmp file) used for the ransomware note. According that message, attackers are asking for approximately $1,500 in Bitcoin and are using an encryption that combines the RSA-2048 and AES-128 algorithms.
As for the Kovter component of the attack, Duncan said it’s unclear what its purpose is for now. “I see a lot of post-infection events for Kovter command and control traffic. But I’m not certain click-fraud is involved any more,” he said. Kovter actions appear limited to checking traffic and generating command-and-control traffic, but not typical click-fraud traffic associated with the malware.
Some of the domains used in the JavaScript files include: it.support4u[.]pl, anahata2011[.]ru, shiashop[.]com and ionios-sa[.]gr. Kovter post-infection encrypted traffic includes various IPs over port 80, 443 and 8080 and include: 24[.]96[.]108[.]157, 61[.]134[.]39[.]188 and 135[.]175[.]22[.]211.