Two malware families, NemucodAES and Kovter, are being packaged together in .zip attachments and delivered via active spam campaigns. Researcher Brad Duncan said, “together these two pieces of malware could deliver a nasty punch.”
NemucodAES is a variant of the Nemucod Trojan downloader, best known for being used in a wave of 2016 campaigns distributing Locky and TeslaCrypt ransomware. “By March 2016, we started seeing reports of ‘Nemucod ransomware’ that stopped downloading ransomware binaries in favor of using its own script-based ransomware component,” Duncan wrote in a SANS Institute Internet Storm Center posted Friday.
That variant is now being called NemucodAES. Since being identified, a decryptor exists to neutralize the ransomware threat.
Kovter click-fraud is malware known for being tricky to detect and hard to remove because of its fileless design after infection, according to Microsoft. Not only can it perpetrate click-fraud, but can also steal personal information, download additional malware, or give a hacker access to your PC.
Spam campaigns deliver the malicious .zip archives disguised as notices from the United Parcel Service. Attacks were first reported last month by U.K. security firm My Online Security and have been consistent since then, Duncan said.
This is not the first time Kovter has been bundled with ransomware. In February, researchers at Microsoft’s Malware Protection Center spotted malicious email campaigns using .lnk attachments to spread Locky ransomware and Kovter. An .lnk file is a shortcut that points to an executable file.
Files encrypted by NemucodAES retain their original file names. Delivered to the victim’s PC in their “AppData\Local\Temp” directory are the NemucodAES decryption instructions (via an .hta file) and the Windows desktop background (a .bmp file) used for the ransomware note. According that message, attackers are asking for approximately $1,500 in Bitcoin and are using an encryption that combines the RSA-2048 and AES-128 algorithms.
As for the Kovter component of the attack, Duncan said it’s unclear what its purpose is for now. “I see a lot of post-infection events for Kovter command and control traffic. But I’m not certain click-fraud is involved any more,” he said. Kovter actions appear limited to checking traffic and generating command-and-control traffic, but not typical click-fraud traffic associated with the malware.