Nemucod, the Trojan that affected Ireland worst in 2016 is back with a new campaign. Instead of serving its victims ransomware, it delivers an ad-clicking backdoor Trojan detected by ESET as Win32/Kovter and is spread via email as a fake invoice.
Nemucod was used in several large campaigns in 2016, having reached a 24% share of global malware detections on March 30, 2016. Local attacks in particular countries saw a prevalence level far above 50% throughout 2016. In the past, Nemucod payloads were primarily ransomware families, most frequently Locky or the now-discontinued TeslaCrypt. In the most recent campaign detected by ESET’s systems, Nemucod’s payload is an ad-clicking backdoor named Kovter.
As a backdoor, this Trojan allows the attacker to control machines remotely without the victim’s consent or knowledge. The variant analysed by ESET researchers has been enhanced by ad-clicking capability delivered via an embedded browser. The Trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads. The number of threads can change, according to commands from the attacker but can also alter them automatically since Kovter monitors the computers’ performance level. If the computer is idle, the malware may allocate more resources to its activities until further user activity is detected.
As is standard with Nemucod, the current version delivering Kovter spreads as an email ZIP attachment pretending to be an invoice and containing an infected executable JavaScript file. If the user falls for the trap and runs the Nemucod-infected file, it downloads Kovter into the machine and executes it.
ESET security experts recommend sticking with general rules for internet security but also following the specific advice:
- If your e-mail client or server offers attachment blocking by extension, you may want to block emails sent with .EXE, *.BAT, *.CMD, *.SCR and *.JS. files attached
- Make sure your operating system displays file extensions. This helps to identify the true type of a file in case of dual extension spoofing (e.g. “INVOICE.PDF.EXE” does not get displayed as “INVOICE.PDF”).
- If you frequently and legitimately receive these files, check who the sender is and if there is anything suspicious, scan the message and its attachments with your security solution. ESET products will detect it as Win32/Kovter.
[su_box title=”About ESET®” style=”noise” box_color=”#336588″][short_info id=’60260′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.