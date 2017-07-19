Two types of malware, NemucodAES and Kovter, have been bundled together by hackers in email attachments and sent to victims via a spam campaign, according to a security researcher.

Brad Duncan, writing on the Sans ISC InfoSec Forums blog, said that over the last two weeks he had noticed a significant increase in malicious spam (malspam) with attached zip archives disguised as delivery notices from the United Parcel Service (UPS). These zip archives contain JavaScript files designed to download and install NemucodAES ransomware and Kovter malware on a victim's Windows computer.

He said that while malspam with zip archives containing JavaScript files are easy for most organisations to detect, an ongoing concern here is that the Nemucod ransomware currently pushed by this malspam is a new variant called NemucodAES. This new variant is written in JavaScript and PHP and uses AES and RSA to encrypt a victim's files.

“Kovter is an older malware, but it's also an ongoing concern. Together, these two pieces of malware could deliver a nasty punch,” he said.

In the latest campaign, when the zip file is opened, a JavaScript file is extracted.

“Network traffic was typical for an infection by one of the .js files. We first see HTTP requests for the NemucodAES JavaScript, followed by requests for various executables. Then we see the post-infection Kovter traffic. NemucodAES doesn't generate any traffic on its own,” said Duncan.

He added that the infected windows host opened a notification with the decryption instructions. Encrypted files retained their original file names (no added file extensions as we often see with other ransomware).

Duncan said he found found artifacts in the user's AppData\Local and AppData\Local\Temp directories.

“Some of these files are not inherently malicious. A legitimate PHP executable and DLL file were found in user's AppData\Local\Temp directory, along with the NemucodAES decryption instructions (an .hta file) and a Windows desktop background for the ransomware (a .bmp file),” said Duncan.

The ransom note demands 0.63778 Bitcoins in order to release the files. Duncan said that saw a “lot of post-infection events for Kovter command and control traffic. But I'm not certain click-fraud is involved anymore.”

Duncan said that with proper filtering, these emails are easily blocked. With proper network monitoring, traffic from an infection is easily detected.

“But some of these messages might slip past your filtering, and some people could possibly get infected. With the NemucodAES decryptor, people can recover their files, but I expect this ransomware will continue to evolve,” he warned.

This article originally appeared at scmagazineuk.com