Gamarue, Nemucod, and JavaScript
JavaScript is now being used largely to download malware because it’s easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod.
This JavaScript trojan downloads additional malware (such as Win32/Tescrypt and Win32/Crowti – two pervasive ransomware trojans that have been doing the rounds for a few years[1] – and Win32/Fareit) and installs it on a victim’s system through spam email.
Recently, however, we’ve seen another version of Nemucod distributing Gamarue malware to users.
Gamarue, also known as “Andromeda bot”, has been known to arrive through exploit kits, other executable malware downloaders (including Win32/Dofoil and Win32/Beebone), removable drives, and through that old stand-by: spam campaigns.
The shift to a JavaScript-obfuscated downloader might be an attempt by the malware authors to evade the increasing detection capabilities and sophistication in antimalware products.
A quick look into the obfuscated JavaScript code shows us that, aside from the encrypted strings, it uses variables with random names to hide its real code.
Figure 1: Obfuscated code
The decrypted code is shown in the following image:
Figure 2: De-obfuscated code
Nemucod is known to have different hashes for each variant. For this one particular hash, since the detection was written in early April, 2016, it reached in total of 982 distinct machines with 4,192 reports – which indicates the number of Gamarue installations that could have occurred if it was not detected.
Figure 3: Nemucod detection rate
Gamarue has been observed stealing vital information from your PC. It can also accept commands from a command and control (C&C) server. Depending on the commands received, a malicious hacker can perform various actions on the machine. See our family description of Win32/Gamarue for more information.
Nemucod impact
Since the start of 2016, Nemucod has risen in prevalence.
Figure 4: Rising Nemucod prevalence trend shows that it peaked on April
For the top 10 countries for Nemucod detections, the US takes a third, followed by Italy and Japan. The spread of infections is quite widespread across the globe.
Figure 5: Majority of the Nemucod infections are seen in the United States
Overall, however, it still remains relatively low, especially when compared to Gamarue.
Gamarue impact
Unlike Nemucod, Gamarue detections started high and have remained high since late last year. Overall, numbers have dropped a small amount since the start of 2016. Interestingly, there are large troughs during every weekend, with a return to higher numbers on Monday. This can indicate that Gamarue is especially pervasive either in enterprises, or in spam email campaigns.
Figure 6: The Gamarue infection trend shows a steady pattern
For Gamarue, the top 10 countries see distribution largely through India, Asia, Mexico, and Pakistan.
Figure 7: Majority of the Gamarue infection hits third world countries
Mitigation and prevention
To help stay protected from Nemucod, Gamarue, and other threats, use Windows Defender for Windows 10, or other up-to-date real-time product as your antimalware scanner.
Use advanced threat and cloud protection
You can boost your protection by using Office 365 Advanced Threat Protection and enabling Microsoft Active Protection Service (MAPS).
Office 365 helps by blocking dangerous email threats; see Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.
MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.
Some additional preventive measures that you or your administrators can proactively do:
- Block the IP addresses of the corresponding compromised websites as soon as the administrator identifies the list of sites that Nemucod and Gamarue maliciously connect to
- Be aware of and avoid JavaScript-laden spam emails
- Use Microsoft Edge to get SmartScreen protection. SmartScreen can help prevent you from inadvertently browsing sites that are known to be hosting exploits, and helps protect you from socially-engineered attacks such as phishing and malware downloads.
- Keep your software up-to-date to mitigate possible software exploits.
- Protect derived domain credentials with Credential Guard for Windows 10 Enterprise.
- Secure your code integrity with Device Guard for Windows 10 Enterprise
- Secure the lateral account movement in your enterprise.
- Use two-factor authentication with Microsoft Passport and Windows Hello.
- Ensure that a strong password policy is implemented throughout the enterprise
- Turn on your firewall
- Limit user privileges
- Use trusted locations for files in your enterprise
———————————————————————–
[1] We’ve published a number of blogs about Crowti, including:
- Crowti update – CryptoWall 3.0 (January 2015)
- The dangers of opening suspicious emails: Crowti ransomware (October 2014)
It was also featured in the July 2015 version of the Malicious Software Removal Tool (MSRT):
Donna Sibangan
MMPC