Nemucod was used in several large campaigns in 2016, having reached a 24% share on global malware detections on March 30, 2016. Local attacks in particular countries saw a prevalence level far above 50% throughout 2016. In the past, Nemucod payloads were primarily ransomware families, most frequently Locky or the now-discontinued TeslaCrypt. In the most recent campaign detected by ESET’s systems, Nemucod’s payload is an ad-clicking backdoor named Kovter.
As a backdoor, this Trojan allows the attacker to control machines remotely without the victim’s consent or knowledge. The variant analyzed by ESET researchers has been enhanced by ad-clicking capability delivered via an embedded browser. The Trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads. The number of threads can change, according to commands from the attacker but can also alter them automatically since Kovter monitors the computers’ performance level. If the computer is idle, the malware may allocate more resources to its activities until further user activity is detected.
In connection with Nemucod, ESET security experts recommend sticking with the general rules for internet security and also the following the specific advice:
- If your e-mail client or server offers attachment blocking by extension, you may want to block emails sent with .EXE, *.BAT, *.CMD, *.SCR and *.JS. files attached.
- Make sure your operating system displays file extensions. This helps to identify the true type of a file in case of dual extension spoofing (e.g. “INVOICE.PDF.EXE” does not get displayed as “INVOICE.PDF”).
- If you frequently and legitimately receive this type of files, check who the sender is and if there is anything suspicious, scan the message and its attachments with reliable security solution.