The Nemucod trojan, known for downloading ransomware like Locky, just stepped up its game

[Jrs30]

Some time ago, we detailed how the Locky ransomware infection process works. Since then, the creators of the Nemucod “downloader” (the code responsible for downloading and executing malware like Locky) have been hard at work polishing their code.

One of the latest versions of Nemucod shows some notable changes over the older versions. In the past, the process was pretty simple: “User opens malicious file → File downloads payload → payload gets executed”. In the more recent versions however, it’s somewhat less straightforward.

Let’s have a look at what the code does in more detail. To make it more readable, this code was deobfuscated from its heavily obfuscated original format.

Step 1 – Choosing the right connection method

Earlier versions of Nemucod only used one method to connect to the internet. However, this could fail because of different infrastructure configurations (Windows version, proxy servers, etc).

To provide greater compatibility, the authors of Nemucod created a function that tries to connect using multiple methods:

Full article : Nemucod ups its game

 

[_CyberGhosT_]

Ok so if I am reading that correctly, with Scripts disabled in Windows
would that not prevent, at least a portion of this from running ?
Granted ReHIPS and VooDoo would do their part, but with Scripts disabled
does it have an effect on this ?
Thank You Jrs30

 

[SHvFl]

Ok so if I am reading that correctly, with Scripts disabled in Windows
would that not prevent, at least a portion of this from running ?
Granted ReHIPS and VooDoo would do their part, but with Scripts disabled
does it have an effect on this ?
Thank You Jrs30

Assuming you use rehips and run everything unknown or possible to run infected stuff isolated then you have nothing to worry. Even if you fail to do that default settings have wscript to inspect children and alert of subprograms. So in theory you must do a mistake a lot of times before you get infected and if that's the case no software can help you.
If you are really worried a user of your pc will click allow on some alert he shouldn't then run rehips on isolation mode so nothing not specifically whitelisted can run.

 

[_CyberGhosT_]

Thank You SHvFI for that reply
My question was in reguards to "disabling of Scripts" in the OS
QUOTE
Granted ReHIPS and VooDoo would do their part, but with Scripts disabled
does it have an effect on this ?
END
You quoted the question, maybe not understanding my question.
I am wondering if Disabling Scripts on the windows OS will have an adverse effect
on Nemucod.
PeAcE

 

[SHvFl]

Thank You SHvFI for that reply
My question was in reguards to "disabling of Scripts" in the OS
QUOTE
Granted ReHIPS and VooDoo would do their part, but with Scripts disabled
does it have an effect on this ?
END
You quoted the question, maybe not understanding my question.
I am wondering if Disabling Scripts on the windows OS will have an adverse effect
on Nemucod.
PeAcE

Nah i didn't misunderstand you.I just pointed out that you already have them under control. Some are useful and you can't disable them if you want your pc to work properly. You already monitor them with rehips no need to make your life harder.
Obviously up to you, just a suggestion from me.

 

[hjlbx]

Thank You SHvFI for that reply
My question was in reguards to "disabling of Scripts" in the OS
QUOTE
Granted ReHIPS and VooDoo would do their part, but with Scripts disabled
does it have an effect on this ?
END
You quoted the question, maybe not understanding my question.
I am wondering if Disabling Scripts on the windows OS will have an adverse effect
on Nemucod.
PeAcE

To disable scripts you have to either:

• Disable the associated host process; or
• Disable the execution of script file types;

It is safest to both disable the associated host process = vulnerable processes - and the file type.

Some NET Framework objects can execute scripts - even with the associated host processes disabled. So you have to disable NET Framework objects too.

* * * * *

IF malicious code can execute, then something bad can happen.

IF Neumocod uses JavaScript, you can't do much about it except have that code run with limited file system and registry access rights.

Don't confuse code with a script. There are a ton of different types of code. A script is a specific type of code associated and executed by a host process.

 

[_CyberGhosT_]

@SHvFl
So your saying that the scripts that Nemucod uses are not in the class of Scripts that
most users disable ?
I am not talking about myself,.,.
I will re-word this.
The average user disables scripts within the OS to help protect it.
Does the disabling of these scripts have any impact on Nemucod ?

 

[_CyberGhosT_]

@hjlbx
More of what I was looking for, Thanks man

 

[hjlbx]

@SHvFl
So your saying that the scripts that Nemucod uses are not in the class of Scripts that
most users disable ?
I am not talking about myself,.,.
I will re-word this.
The average user disables scripts within the OS to help protect it.
Does the disabling of these scripts have any impact on Nemucod ?

You are using the term script for code. You can block the execution of all scripts, but not all code. In the article, the authors don't state the malware is delivered by a script.

 

[SHvFl]

@_CyberGhosT_ If the process is disabled and assuming the malware can't enable it then you are safe. But as you understand we are just theorizing and i am 100% sure most malware will try to use the process and if it fails then nothing will happen. We are not high value people to have target attacks on us.

 

[_CyberGhosT_]

@hjlbx
Right, see
And in there I saw this "RequestMethod = WScript. ect"

 

[hjlbx]

@_CyberGhosT_

I checked it. It is a JS.TrojanDownloader. I didn't see that at first glance. Sorry... my oversight.

Best defense:

Block execution of *.js, *.wfs, *.vbs files and execution of wscript.exe and cscript.exe.

You never know when the malc0ders will change-up the script type.

* * * * *

AppGuard is the best solution in this regard. I have both wscript.exe and cscript.exe in User Space + AppGuard blocks almost all the file types used maliciously by default. Adding both to User Space adds a layer above AppGuard's blocking of *.js, *.wfs and *.vbs.

Let's say a fileless malware uses wscript.exe in-memory-only. Even though AppGuard will enforce limited file system and registry access rights to wscript.exe, I personally prefer to block execution of wscript.exe completely. Less doubt... ease-of-mind...

That all being said, COMODO, NVT ERP, VooDooShield and ReHIPS do an equivalent job - but do it differently.

 

[cruelsister]

I hope I'm not going over the top here, but the Nemucod trojan has already morphed in what I suppose can be called a "P" form. This one will also use Powershell in addition to vbs and js scripts. I haven't been able to track a Command server yet, but it isn't the one that the sample in the article uses (Digital Ocean in NYC, which has been spewing out Locky C2's since the end of May).

The Nemucod P may be VM aware so is basically telling me to go screw myself when attempting to determine exactly what is going on.

 

[DardiM]

The best protection, is to not let the TrojanDownloader run (Not click on untrusted files )

But:
- At the steps : objStream2.close(); and objStream.close();
=> a good antivirus / anti malware should detect new file modification and check it , no ?

- At the step objShell.Run(batchFile);
=> a good antivirus / anti malware should detect the start of a new file and check it, no ?

So in case where the donwloader is run, a good protection against it ( if it isn't recognized or a zero-day malware) is also to have a security tool with the option to block unknown files execution (like KTS/KIS Application Control with goods parameters)

Spoiler: writeFile function for .exe

Spoiler: creation and execution of .bat

Step 7 – Execution
"Now that the payload is ready, it needs to be executed. Instead of running the “.exe” file directly, the newer versions of Nemucod creates a “.bat” file that starts the executable. It then executes the “.bat” file:"

 

[jamescv7]

With whitelisting technology, you have the power to filter out those attacks like scripts.

However since payloads and other droppers will occur hence AV will be the secondary tool.

Kill the main infection before it spreads.