The Most Trusty Attack Vector

Shady random strangers on the internet often have an uncanny ability to make you believe that you should have expected to hear from them. You may be savvy enough to brush off the ‘Nigerian Prince in Distress’ and the ‘Thousands of Hot Singles in Your Area Waiting to Meet You’ – but what about your invitation to stand trial or the outstanding fine that you owe? Do you brush those off with the same knowing smirk, or is there an opening there that could catch you off-guard?

If your honest answer contains a little bit of column B, you are not alone.  Social engineering attacks enjoy a natural advantage against most kinds of security mechanisms. It must have taken hours of a software developer’s time to arrange for Microsoft Office to block macros by default; it takes all of ten seconds for an attacker to write “to view document correctly, please enable macros”, and for the unwitting victim to oblige. – Malware distributors know this and, when pressed for something to give their campaign some extra oomph, will gleefully reach for the grab-bag of known vulnerabilities in human behavior.

A few weeks ago, a lone user of one of the many sub-communities of the online community Reddit posted a question to fellow forum-goers. A friend had received an email message with the text: “This is to confirm that one or more of your parcels has been shipped. You can review complete details of your order in the file attached.” The attachment was an archive containing an innocuous-seeming file named order.doc.js.

The friend, wisely, did not open this attachment. Maybe she knew that Windows will treat this file as a script file, and a file with a “.doc.js” double extension is a huge red flag. Maybe the nondescript nature of the email body, which conveniently did not include any meaningful personal details, aroused her suspicion. Either way, she made the right call. It stands to reason that several others who received the same email message were not so lucky.

I may be a dropper, but I minored in ransomware

Viewing the attachment in a text editor, it is apparent that it is, indeed, a blob of Javascript that was run through some kind of obfuscator. A quick run through a de-obfuscation tool, and a subsequent read-through of the source code, reveals it as a variant of the Nemucod malware dropper.


Figure 1 – obfuscated javascript blob


A malware dropper’s job is pretty simple. Once it is executed, it pulls a designated instance of malware from an online server, and then executes it. Nemucod has been in the business of dropping malware since at least late 2015, and possibly earlier.  Nemucod’s distribution vector has stayed constant throughout: Spam messages informing people about owed fines, failed payments, held baggage and various other mishaps that require the victims’ immediate attention. Nemucod has been known to infect victims with various kinds of malware, most notorious of which is perhaps the TeslaCrypt ransomware.

This sample contains some par-for-the-course hardcoded values, for example, several domain names for the dropper to contact and an ID that identifies the exact malware that will be downloaded to the victim’s system and executed. But this is where this instance of Nemucod diverges from previous iterations; instead of using those parameters to download the target malware and be done with it, it defines several other parameters and embarks on a rather surprising detour.


Figure 2 – hardcoded parameters


Once this iteration of Nemucod succeeds in “phoning home” to one of its hardcoded domains, it requests a certain executable file from the remote server. If the request is successful, Nemucod gleefully proceeds to write the following to a document in the victim’s temp folder, which is promptly displayed front and center:


Figure 3 – ransom note


Yes – it is the proverbial ransom note. Nemucod announces that the victim’s files have been encrypted with a strong RSA-1024 cipher, and the time has come to cough up a large amount of ransom money. No encryption, in fact, has yet taken place, but Nemucod moves swiftly to take care of this mere technicality. It writes a DOS batch file to the temporary folder (one line at a time, using WriteLine instructions – somewhere a developer is crying), and then promptly executes it.

The batch file performs what is, by now, a familiar routine with ransomware. It iterates over every mapped drive recognized by the operating system. For files with an extension matching a certain hard-coded list, Nemucod renames changes that extension to “crypted” and encrypts the file. Encryption is performed by running the executable pulled earlier from the malicious server with the file name as a parameter.


Figure 4 – dropped batch command to rename and encrypt target files


At this point, we are tempted to take a peek at this executable’s disassembly. This is, after all, where the magic happens, and strong RSA-1024 encryption turns the victim’s once-readable files into indecipherable, irrecoverable gibberish.

Cryptography is hard, let’s go shopping

To recap, Nemucod has mutated to perform a ransomware routine in addition to its usual dropping capabilities – and the ransom note is displayed before any actual encryption has taken place. This results in a TOGTOC (Time of Gloat to Time of Crypt) bug. The download of the executable used for encryption may go through, but it later may be wiped by a vigilant AV engine or fall victim to any number of other accidents. This is not a pure theoretical possibility – actual victims have reported, erroneously, that “this ransomware only changes your file extensions, and you can reverse its operation by changing the extensions back”. That scenario is, in fact, a specific pathology, which only occurs in the scenario described above. Lacking the file, the “rename” commands in the batch file go through, but the “encrypt” commands fail.


Figure 5 – encryption routine. Can you spot the RSA-1024 logic?


But suppose that the TOGTOC bug does not come into play, and the script goes off without a hitch. To understand what happens to the victim’s files, we take a deeper look at the encryption file disassembly.

The first thing we notice is that compared to malware with a similar function, it is drastically smaller. That’s not a coincidence. The encryption delivered here is not quite as strong as promised in the ransom note.

To begin with, only the first 2048 bytes (2KB) of the victim file are encrypted; if a victim file is larger than that, encryption is aborted and Nemucod moves on to the next file. Second, and more significantly, this is not RSA-1024, but rather a simple XOR-cipher with a 256-byte fixed rotating key. The key is hard-coded into the executable, so unless the C&C server holds different copies of the executable for each victim (not likely) or patches/recompiles executables on the fly (extremely not likely), this same key is used to encrypt every targeted file of every victim of this campaign.


Figure 6 – encryption key embedded in the pulled executable


I have written here before about ways to possibly recover from a successful ransomware attack, and this ransomware exposes itself to nearly every one of them. The shadow files are left intact, the key (symmetric here, thus also used for decryption) can be extracted from the traffic logs, and the encryption algorithm itself is effectively a many-time pad – wide open for cryptanalysis. The barrier to entry for thwarting this attack post-infection is ridiculously, uncharacteristically, low. If you get hit by ransomware, and it turns out to be this one, you should count your blessings.

Two for the price of one

Nemucod is, first and foremost, a dropper. Its aim is to get other malware to run on its victims’ systems, and this basic purpose has not changed. At this point, Nemucod proceeds to execute its old, vanilla functionality: It supplies the malware ID to be downloaded, pulls the appropriate malware from its C&C server and executes it. In this particular case, the malware pulled and executed by Nemucod is a variant of the Boaxxe click-fraud adware. Boaxxe operates by silently browsing advertisements and redirecting user search results to sponsored content. An excellent in-depth coverage of Boaxxe is available here (Part 1, Part 2).

The takeaway

From the perspective of a researcher, this is a relatively straightforward story: Someone who had the original source of Nemucod – perhaps even the original author – saw an opportunity to jump on the ransomware bandwagon. Spam was sent, files were encrypted, and adware was installed.

The major point of interest, from a researcher’s point of view, is the very notion of ransomware “with fries on the side.” In the unruly land of malware, we are loath to make generalizations; but ransomware has, by and large, been an isolated operation. If you were infected with Cryptowall then you were infected with Cryptowall, and not with various drive-by adware, spyware, banking Trojans or what-have-you. Nemucod has shown us the very real possibility that a victim can be infected with ransomware and then a little something extra.

Having said that, a more interesting picture appears when we examine this threat from the victim’s point of view. He sees an email, opens a file, and clicks “yes” on an “are you sure” prompt. The next thing he sees is a ransom note informing him that his files have been encrypted, and a demand to pay up.

He doesn’t know that the encryption used is of about the weakest sort possible. He doesn’t know that nearly any counter-measure he happens to have in place will undo the damage. Most of all,  he doesn’t know that his very real ransomware crisis is merely an opportunistic hitchhike, and that the threat’s ultimate aim was not to hijack his vacation photos, but to sell his attention to the highest bidder. As he rushes to Google “hit by ransomware, what to do”, he certainly does not know that unless he does a clean install of his operating system, this selling of his attention to the higher bidder shall commence very soon.

The bottom line is this – the moment you have malicious code running on your machine, what you know about your situation may be insignificant compared to what you don’t.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please complete the equation to verify your submission. * Time limit is exhausted. Please reload the CAPTCHA.