Once JS/Nemucod executes, it silently downloads additional malware to the %TEMP% folder of the victim’s machine, before running without the user’s consent.
The downloaded payloads vary depending on the bad guys choice of the moment. JS/Nemucod has spread Tescrypt, Fareit, Kovter, Miuref, Dridex, Locky, and Gamarue, to name several.
In the last couple of days, we received several JS/Nemucod samples that we detect as JS/Nemucod.hb. This detection is for a variant that uses two layers of basic obfuscation, as pictured below:
This malicious sample (MD5 = 4B7207D5AB0DF9D6B0C650EBA0E18EE0) starts with a very long obfuscated string containing the malicious code, followed by a part of code used for the deobfuscation of the first layer, and then some junk.
Once the first layer is removed, the malicious parts of code become more visible, yet they are still obfuscated:
This is the same sample, now fully deobfuscated:
This sample attempts to download a file from one of three URLs (if the first download fails, it will try the second one, and so on), saves it in the %TEMP% folder with a filename made of five digits, followed by the extension .exe, and then silently runs it. The files hosted on these three compromised websites are identical Locky malware, with the same MD5 signature (7905f35038e44c285a10cdefda496d7a).
Nothing surprising so far. However while analyzing a few more samples from this JS/Nemucod variant, we happened to deobfuscate one that contains only one URL, repeated three times, which links to a legitimate, noninfected, Notepad++ installer stored on the Notepad++ official website (MD5 = 3BB72C72B73583C72EAB326D8BDB83E6, a legitimate file), and downloads a legitimate file instead of a malicious sample:
Why would JS/Nemucod download a legitimate Notepad++ installer? That’s the question we asked ourselves.
After some investigations, we managed to collect six samples detected as JS/Nemucod.hb and containing the URL linking to the Notepad++ installer.
Here are their MD5 signatures:
We tracked down where these samples came from. It seems that all were first submitted to VirusTotal:
They had more in common. All were submitted:
- Via Tor, the anonymizing network that makes it hard to trace its communications. Tor is used to remain anonymous, though not necessarily for bad intent.
- In a short time (about 15 minutes).
- Only once to Virus Total.
- With a filename similar to inv_[random string].js, although each filename was unique: inv_kuxxp4vx2e2.js, inv_zx4ft4opwer.js, inv_j1xcvzy3w2h.js, inv_wpmv1slbrvj.js, inv_lnm4ckkexbz.js, and inv_bpcb1t3n2v4.js.
Moreover, all were submitted in a very short period and via Tor. Could it be that these samples were submitted to VirusTotal by the bad guys themselves? That’s one hypothesis. If that’s the case, for what reason? To confuse the issue? For testing?
We compared each sample (especially the parts used to deobfuscate the script) with each other:
Sample 1: (MD5) 68cffdb643c25fe8f3fd6c79c4423558
Sample 2: 36ef4cbee8945b69fa04cb7e9e3f2657 (submitted to VirusTotal about two minutes later)
Except for the different variable names and the junk variables (which are randomly generated for each malware sample), we do not see any differences. We can confirm that both samples were created using the same generator.
Sample 3: 15db97414972ca19a88147764bedaa81 (submitted to VirusTotal about five minutes later)
The string “length” was obfuscated in a slightly different way. The part of code used for deobfuscation was duplicated at the end of the script.
Sample 4: eca759dcabec66377ec21fa62d92709e (submitted to VirusTotal about two minutes later)
The variable q1 now concatenates four strings instead of six.
Sample 5: 754d333f8c06085ebb3e32701a5be584 (submitted to VirusTotal about seven minutes later)
The variable q1 again concatenates six strings.
Sample 6: 037b04cc520ddb37bbfa1e535e39339a (submitted to VirusTotal less than two minutes later)
Variable q1 now concatenates four strings. Some characters (C and A) in the obfuscated string “charAt” are now in uppercase. Moreover, the duplicated part of code added at the end of the script was removed.
We noticed that the obfuscations used in various JS/Nemucod versions are modified daily before being spammed, in an attempt to bypass antimalware detection. However, we have never seen so many minor modifications in such a short time, so these six samples must have been submitted to VirusTotal for testing purposes, most likely by the bad guys behind JS/Nemucod.
Why did the malware developers use a real URL downloading a legitimate file for their tests when they could have used fakes?
Why did they download an installer instead of another (smaller) executable file?
- Perhaps to make sure that the downloaded file will not be truncated when saved on disk.
Why did they download a Notepad++ installer rather than some other?
- That will probably remain a mystery!