Malware Mystery: JS/Nemucod Downloads Legitimate Installer

By on May 20, 2016

JS/Nemucod is the detection name given to a family of malicious JavaScript downloaders that have appeared in spam campaigns since last year. They usually arrive as an email attachment, embedded in a ZIP archive, and pretend to be an invoice, a delivery notice, a resume, anything that may seem harmless and can be used as a social engineering trick.

Once JS/Nemucod executes, it silently downloads additional malware to the %TEMP% folder of the victim’s machine, before running without the user’s consent.

The downloaded payloads vary depending on the bad guys choice of the moment. JS/Nemucod has spread Tescrypt, Fareit, Kovter, Miuref, Dridex, Locky, and Gamarue, to name several.

In the last couple of days, we received several JS/Nemucod samples that we detect as JS/Nemucod.hb. This detection is for a variant that uses two layers of basic obfuscation, as pictured below:

Figure 1 - Excerpt of one JS/Nemucod.hb sample.
Excerpt from one JS/Nemucod.hb sample.

This malicious sample (MD5 = 4B7207D5AB0DF9D6B0C650EBA0E18EE0) starts with a very long obfuscated string containing the malicious code, followed by a part of code used for the deobfuscation of the first layer, and then some junk.

Once the first layer is removed, the malicious parts of code become more visible, yet they are still obfuscated:

Figure 2 - The same sample without the first layer of obfuscation
The same sample without the first layer of obfuscation.

This is the same sample, now fully deobfuscated:

Figure 3 - JS/Nemucod.hb fully de-obfuscated
JS/Nemucod.hb fully deobfuscated.

This sample attempts to download a file from one of three URLs (if the first download fails, it will try the second one, and so on), saves it in the %TEMP% folder with a filename made of five digits, followed by the extension .exe, and then silently runs it. The files hosted on these three compromised websites are identical Locky malware, with the same MD5 signature (7905f35038e44c285a10cdefda496d7a).

Nothing surprising so far. However while analyzing a few more samples from this JS/Nemucod variant, we happened to deobfuscate one that contains only one URL, repeated three times, which links to a legitimate, noninfected, Notepad++ installer stored on the Notepad++ official website (MD5 = 3BB72C72B73583C72EAB326D8BDB83E6, a legitimate file), and downloads a legitimate file instead of a malicious sample:

Figure 4 - JS/Nemucod.hb downloading Notepad++
JS/Nemucod.hb downloading a Notepad++ file.

Why would JS/Nemucod download a legitimate Notepad++ installer? That’s the question we asked ourselves.

After some investigations, we managed to collect six samples detected as JS/Nemucod.hb and containing the URL linking to the Notepad++ installer.

Here are their MD5 signatures:

  • 68cffdb643c25fe8f3fd6c79c4423558
  • 36ef4cbee8945b69fa04cb7e9e3f2657
  • 15db97414972ca19a88147764bedaa81
  • eca759dcabec66377ec21fa62d92709e
  • 754d333f8c06085ebb3e32701a5be584
  • 037b04cc520ddb37bbfa1e535e39339a

We tracked down where these samples came from. It seems that all were first submitted to VirusTotal:

Why-would-JS-VT

They had more in common. All were submitted:

  • Via Tor, the anonymizing network that makes it hard to trace its communications. Tor is used to remain anonymous, though not necessarily for bad intent.
  • In a short time (about 15 minutes).
  • In JavaScript format (not embedded in a ZIP archive).
  • Only once to Virus Total.
  • With a filename similar to inv_[random string].js, although each filename was unique: inv_kuxxp4vx2e2.js, inv_zx4ft4opwer.js, inv_j1xcvzy3w2h.js, inv_wpmv1slbrvj.js, inv_lnm4ckkexbz.js, and inv_bpcb1t3n2v4.js.

The fact that these six samples were submitted to VirusTotal only once and in JavaScript format (not without a ZIP container) suggests they were not found in the wild nor that they were spammed.

Moreover, all were submitted in a very short period and via Tor. Could it be that these samples were submitted to VirusTotal by the bad guys themselves? That’s one hypothesis. If that’s the case, for what reason? To confuse the issue? For testing?

We compared each sample (especially the parts used to deobfuscate the script) with each other:

Sample 1: (MD5) 68cffdb643c25fe8f3fd6c79c4423558

Why-would-JS-Diff1

Sample 2: 36ef4cbee8945b69fa04cb7e9e3f2657 (submitted to VirusTotal about two minutes later)

Why-would-JS-Diff2

Except for the different variable names and the junk variables (which are randomly generated for each malware sample), we do not see any differences. We can confirm that both samples were created using the same generator.

Sample 3: 15db97414972ca19a88147764bedaa81 (submitted to VirusTotal about five minutes later)

Why-would-JS-Diff3

The string “length” was obfuscated in a slightly different way. The part of code used for deobfuscation was duplicated at the end of the script.

Sample 4: eca759dcabec66377ec21fa62d92709e (submitted to VirusTotal about two minutes later)

Why-would-JS-Diff4

The variable q1 now concatenates four strings instead of six.

Sample 5: 754d333f8c06085ebb3e32701a5be584 (submitted to VirusTotal about seven minutes later)

The variable q1 again concatenates six strings.

Sample 6: 037b04cc520ddb37bbfa1e535e39339a (submitted to VirusTotal less than two minutes later)

Why-would-JS-Diff6

Variable q1 now concatenates four strings. Some characters (C and A) in the obfuscated string “charAt” are now in uppercase. Moreover, the duplicated part of code added at the end of the script was removed.

We noticed that the obfuscations used in various JS/Nemucod versions are modified daily before being spammed, in an attempt to bypass antimalware detection. However, we have never seen so many minor modifications in such a short time, so these six samples must have been submitted to VirusTotal for testing purposes, most likely by the bad guys behind JS/Nemucod.

Why did the malware developers use a real URL downloading a legitimate file for their tests when they could have used fakes?

  • Most likely to locally test the viability of the generated JavaScript files without infecting themselves: If the legitimate file is downloaded and executes on their machines, then the script is viable.

Why did they download an installer instead of another (smaller) executable file?

  • Perhaps to make sure that the downloaded file will not be truncated when saved on disk.

Why did they download a Notepad++ installer rather than some other?

  • That will probably remain a mystery!

About the Author

Elodie Grandjean

Elodie Grandjean joined McAfee Labs in 2005 as a Virus Researcher. She is passionate about reverse engineering and enjoys doing deep technical analyses of malware and threats. When Grandjean is not in front of her computers, she likes reading books about psychology, spending time with her friends, listening to music, and attending concerts.

Read more posts from Elodie Grandjean

  1. There are stories floating around about a guy that was hacking the C2 of some malware distributors are replacing their malware with benign files.

Subscribe to McAfee Securing Tomorrow Blogs