ESET researchers spotted new campaign that spreads backdoor instead of ransomware

Next story

Nemucod, the most active Trojan Downloader in 2016 is back with a new campaign. Instead of serving its victims ransomware, it delivers a backdoor detected by ESET as Win32/Kovter.

Nemucod was used in several large campaigns in 2016, having reached a 24% share on global malware detections on March 30, 2016. Local attacks in particular countries saw a prevalence level far above 50% throughout 2016. In the past, Nemucod payloads were primarily ransomware families, most frequently Locky or the now-discontinued TeslaCrypt. In the most recent campaign detected by ESET's systems, Nemucod's payload is an ad-clicking backdoor named Kovter.

As a backdoor, this Trojan allows the attacker to control machines remotely without the victim's consent or knowledge. The variant analyzed by ESET researchers has been enhanced by ad-clicking capability delivered via an embedded browser. The Trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads. The number of threads can change, according to commands from the attacker but can also alter them automatically since Kovter monitors the computers' performance level. If the computer is idle, the malware may allocate more resources to its activities until further user activity is detected.

As is standard with Nemucod, the current version delivering Kovter spreads as an email ZIP attachment pretending to be an invoice and containing an infected executable JavaScript file. If the user falls for the trap and runs the Nemucod-infected file, it downloads Kovter into the machine and executes it.

In connection with Nemucod, ESET security experts recommend sticking with the general rules for internet security and also the following the specific advice:

  • If your e-mail client or server offers attachment blocking by extension, you may want to block emails sent with .EXE, *.BAT, *.CMD, *.SCR and *.JS. files attached
  • Make sure your operating system displays file extensions. This helps to identify the true type of a file in case of dual extension spoofing (e.g. “INVOICE.PDF.EXE” does not get displayed as “INVOICE.PDF”).
  • If you frequently and legitimately receive this type of files, check who the sender is and if there is anything suspicious, scan the message and its attachments with reliable security solution.

Read more on Nemucod in the blogpost on ESET’s blog,


About ESET

Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses andconsumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit or follow us on LinkedInFacebook and Twitter.

1ESET has the lowest false positive track record of any vendor, according to AV-TEST and AV-Comparatives.
2Windows, Mac, Linux, Android, iOS, IBM Domino, Kerio, FreeBSD, Exchange, SharePoint Server, VMware vShield
3ESET supports 30+ languages in its software solutions, and provides support in more than 50 languages via local teams in dozens of countries around the world.