Nemucod Malware Evolves, Becomes a Convoluted Mess
June 17, 2016
Shah Sheikh (1294 articles)

Nemucod Malware Evolves, Becomes a Convoluted Mess

The Nemucod malware has suffered some modifications over the past months that have made it much harder to detect while it’s performing its malicious activity.

Nemucod is the name of a trojan discovered in March 2015, which falls in the category of malware downloaders.

Nemucod’s only purpose is to be as lightweight as possible, to attract little attention, to infect computers, and then download another, more potent malware.

Nemucod used as an intermediary for more potent threats

Malware like Nemucod is everywhere, and you rarely see complex malware like backdoor trojans, banking trojans, or ransomware, ever infect a computer directly anymore.

In the past months, Nemucod’s mode of operation was simple, just like its brethren. A user would open a malicious file, it would get infected with Nemucod, Nemucod would access a URL, download the payload, and execute it directly.

Security researchers from ESET say that because most antivirus companies have caught on to how most malware downloaders work these days, Nemucod’s authors decided that it was time for a facelift.

Nemucod now features a seven-step mode of operation

In more recent versions, the malware uses a seven-step procedure to download the final payload, may it be Cerber, Locky, or whatever else.

In the first step, Nemucod selects a method through which to connect to its C&C servers that host the second-stage, more potent malware. Previously Nemucod used one single method to connect online. Now it uses several, so if the first method is blocked by firewalls, it may have other avenues to reach its download locations.

In the second step, Nemucod selects one random download site from a list of hardcoded URLs. Previously, Nemucod came with one download URL, which if it failed or authorities took it down, it would also render all Nemucod instances useless.

Obfuscation is the word of the day with Nemucod’s authors

In the third step, Nemucod downloads the payload, which is now obfuscated, and not just one simple EXE file. The malware then moves to deobfuscate the file.

Step four is a second deobfuscation round. Step five is a validity check of the downloaded file. If the check fails, the malware goes back to step two and selects another download location.

Step six is a third deobfuscation round. Step seven is the final execution stage, which also features a twist. In previous versions, Nemucod executed the file directly. Now, Nemucod creates a bat file, executes the bat file, which in turn contains instructions to start the second-stage malware payload.

“As you can see, the authors of Nemucod have been busy improving their downloader to increase the probability that it can run its malicious payload undetected,” ESET researchers conclude. “With all these new features, one can even speculate that they are working hard to improve their success rate in corporate environments, where proxy servers and UTM gateways may have been blocking their payloads in the past.”

Source | SoftPedia