by RSS Roland Dela Paz  |  Mar 16, 2016  |  Filed in: Security Research

It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs. Most recently, Nemucod has been known to download TeslaCrypt ransomware variants.

However, the last few weeks saw a shift in Nemucod variants--it now has a code to drop ransomware from its body. The sample arrives via a typical Nemucod spam with encrypted JavaScript attachment. 

Upon decrypting the JavaScript, we can see that it attempts to download a file on the user’s temporary directory from compromised websites. The downloaded file is an executable file that is later on used to encrypt the user's files:

If the download is successful, it then drops the ransomware note as text file:

It then proceeds to drop and run a batch file that will encrypt files of certain file types on available drives and complete its system installation:

The target file types are appended with the “.crypted” extension. It calls the initially downloaded executable file and feeds each target file found as the parameter in order to encrypt the file. Once the encryption is done, it proceeds with displaying the ransomware text:

Finally, it proceeds with its normal routine which is to download and execute additional malware to the system, thus an infected user instantly gets two infections:

The Good

The good news, at least as of this writing, is that it does not really use RSA-1024. In fact, it only encrypts the first 2048 bytes of each file with XOR encryption using a pre-defined 255 long key embedded in the downloaded executable component. The following is an opcode from the exe file:

 

The Bad


While the ransomware implementation is rather simple, it is still able to successfully encrypt files. The bigger question we face, however, is if the Nemucod actors, who has been around (and arguably successful) for a while now, are now jumping into the ransomware business as well? The only clue we have right now is that the ransomware code is directly written in the JavaScript body, but time will tell whether this is the case.

It is also important to note that the dropped ransomware has some resemblance with KeyBTC ransomware but with a simpler implementation. Whether there is a direct relationship between KeyBTC and Nemucod actors or the Nemucod actors simply copied KeyBTC's simplistic approach is something we are unable to confirm for now.

The Funny

As mentioned above, the malware uses XOR encryption which is a symmetric algorithm. This means that the ransom message's claim that they are the only ones who can help you is false. You can do the following to help yourself if you are infected:

  • The encrypted files can be decrypted as long as you have the XOR key that is embedded in the executable component.
  • You can restore your PC using system restore.
  • You can restore your files via Volume Shadow Copies.

Fortinet detects the Nemucod malware family as JS/Nemucod variants.

-= FortiGuard Lion Team =-

Indicators of Compromise

Related hashes:
54FBF82E339A37745ADD19C7252B42F0
0E2A4B02097CCC30B2A6F173507FA52A

Added files:
%AppData%\Desktop\DECRYPT.txt
%UserProfile%\Desktop\DECRYPT.txt
"%User Temp%\{random}.txt"
{filename}.crypted

Added registries:
HKEY_CLASSES_ROOT\.crypted 

HKEY_CLASSES_ROOT\.crypted
Crypted = ""

HKEY_CLASSES_ROOT\Crypted 

HKEY_CLASSES_ROOT\Crypted\shell\open\command 
notepad.exe = "%User Temp%\{random}.txt"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Crypted = "%User Temp%\{random}.txt"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.crypted 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.crypted
"Crypted" = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Crypted 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Crypted\shell\open\command
notepad.exe = "%User Temp%\{random}.txt"

 

by RSS Roland Dela Paz  |  Mar 16, 2016  |  Filed in: Security Research