Recent News - ESET researchers spotted new campaign that spreads backdoor instead of ransomware


2016-08-16

Nemucod, the most active Trojan Downloader in 2016 is back with a new campaign. Instead of serving its victims ransomware, it delivers a backdoor detected by ESET as Win32/Kovter.

 

Nemucod was used in several large campaigns in 2016, having reached a 24% share on global malware detections on March 30, 2016. Local attacks in particular countries saw a prevalence level far above 50% throughout 2016. In the past, Nemucod payloads were primarily ransomware families, most frequently Locky or the now-discontinued TeslaCrypt. In the most recent campaign detected by ESET’s systems, Nemucod’s payload is an ad-clicking backdoor named Kovter.
 
As a backdoor, this Trojan allows the attacker to control machines remotely without the victim’s consent or knowledge. The variant analyzed by ESET researchers has been enhanced by ad-clicking capability delivered via an embedded browser. The Trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads. The number of threads can change, according to commands from the attacker but can also alter them automatically since Kovter monitors the computers’ performance level. If the computer is idle, the malware may allocate more resources to its activities until further user activity is detected.
 
As is standard with Nemucod, the current version delivering Kovter spreads as an email ZIP attachment pretending to be an invoice and containing an infected executable JavaScript file. If the user falls for the trap and runs the Nemucod-infected file, it downloads Kovter into the machine and executes it.
 
In connection with Nemucod, ESET security experts recommend sticking with the general rules for internet security and also the following the specific advice:
  • If your e-mail client or server offers attachment blocking by extension, you may want to block emails sent with .EXE, *.BAT, *.CMD, *.SCR and *.JS. files attached
     
  • Make sure your operating system displays file extensions. This helps to identify the true type of a file in case of dual extension spoofing (e.g. “INVOICE.PDF.EXE” does not get displayed as “INVOICE.PDF”).
     
  • If you frequently and legitimately receive this type of files, check who the sender is and if there is anything suspicious, scan the message and its attachments with reliable security solution.
 
Read more on Nemucod in the blogpost on ESET’s blog,  WeLiveSecurity.com



 

About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.

ESET recently updated its two-factor authentication (2FA) application, adding a secure validation to weak and static user passwords. This updated version of ESET’s 2FA application provides flexibility and deeper integration of 2FA into bespoke applications, making it the best cost-effective solutions for SMBs everywhere.

The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. For more information visit http://eset.version-2.sg/ or follow us on Facebook.

 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

For more information, please visit www.version-2.com.sg or call (65) 6296-4268.

Previous News Next News

Return to the previous page