{"id":6316,"date":"2017-01-23T15:50:19","date_gmt":"2017-01-23T23:50:19","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-154\/"},"modified":"2017-01-23T15:50:19","modified_gmt":"2017-01-23T23:50:19","slug":"news-154","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-154\/","title":{"rendered":"Gamarue, Nemucod, and JavaScript"},"content":{"rendered":"

JavaScript is now being used largely to download malware because it’s easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod<\/a>.<\/p>\n

This JavaScript trojan downloads additional malware (such as Win32\/Tescrypt<\/a> and Win32\/Crowti<\/a> \u2013 two pervasive ransomware trojans that have been doing the rounds for a few years[1]<\/a> – and Win32\/Fareit<\/a>) and installs it on a victim’s system through spam email.<\/p>\n

Recently, however, we\u2019ve seen another version of Nemucod distributing Gamarue<\/a> malware to users.<\/p>\n

Gamarue<\/a>,<\/span> also known as \u201cAndromeda bot\u201d, has been known to arrive through exploit kits, other executable malware downloaders (including Win32\/Dofoil<\/a> and Win32\/Beebone<\/a>), removable drives, and through that old stand-by: spam campaigns.<\/p>\n

The shift to a JavaScript-obfuscated downloader might be an attempt by the malware authors to evade the increasing detection capabilities and sophistication in antimalware products.<\/p>\n

A quick look into the obfuscated JavaScript code shows us that, aside from the encrypted strings, it uses variables with random names to hide its real code.<\/p>\n

\"Sample<\/a><\/p>\n

Figure 1: Obfuscated code<\/em><\/p>\n

 <\/p>\n

The decrypted code is shown in the following image:<\/p>\n

\"Sample<\/a><\/p>\n

Figure 2: De-obfuscated code<\/em><\/p>\n

 <\/p>\n

Nemucod is known to have different hashes for each variant. For this one particular hash, since the detection was written in early April, 2016, it reached in total of 982 distinct machines with 4,192 reports – which indicates the number of Gamarue installations that could have occurred if it was not detected.<\/p>\n

\"Nemucod<\/a><\/p>\n

Figure 3: \u00a0Nemucod detection rate<\/em><\/p>\n

 <\/p>\n

Gamarue has been observed stealing vital information from your PC. It can also accept commands from a command and control (C&C) server. Depending on the commands received, a malicious hacker can perform various actions on the machine. See our family description of Win32\/Gamarue<\/a> for more information.<\/p>\n

 <\/p>\n

 <\/p>\n

Nemucod impact<\/h2>\n

Since the start of 2016, Nemucod has risen in prevalence.<\/p>\n

\"Rising<\/a><\/p>\n

Figure 4:\u00a0\u00a0Rising Nemucod prevalence trend shows that it peaked on April<\/em><\/p>\n

 <\/p>\n

For the top 10 countries for Nemucod detections, the US takes a third, followed by Italy and Japan. The spread of infections is quite widespread across the globe.<\/p>\n

\"Nemucod<\/a><\/p>\n

Figure 5: Majority of the Nemucod infections are seen in the United States<\/em><\/p>\n

Overall, however, it still remains relatively low, especially when compared to Gamarue.<\/p>\n

 <\/p>\n

Gamarue impact<\/h2>\n

Unlike Nemucod, Gamarue detections started high and have remained high since late last year. Overall, numbers have dropped a small amount since the start of 2016. Interestingly, there are large troughs during every weekend, with a return to higher numbers on Monday. This can indicate that Gamarue is especially pervasive either in enterprises, or in spam email campaigns.<\/p>\n

\"Gamarue<\/a><\/p>\n

Figure 6: The Gamarue infection trend shows a steady pattern <\/em><\/p>\n

 <\/p>\n

For Gamarue, the top 10 countries see distribution largely through India, Asia, Mexico, and Pakistan.<\/p>\n

\"Gamarue<\/a><\/p>\n

Figure 7: Majority of the Gamarue infection hits third world countries<\/em><\/p>\n

 <\/p>\n

Mitigation and prevention<\/h2>\n

To help stay protected from Nemucod, Gamarue, and other threats, use\u00a0Windows Defender<\/a>\u00a0for Windows 10, or other up-to-date<\/a> real-time product as your antimalware scanner.<\/p>\n

Use advanced threat and cloud protection<\/strong><\/p>\n

You can boost your protection by using Office 365 Advanced Threat Protection and enabling\u00a0Microsoft Active Protection Service<\/a> (MAPS).<\/p>\n

Office 365 helps by\u00a0blocking dangerous email threats<\/a>; see Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks<\/a>, for details.<\/p>\n

MAPS uses cloud protection to help guard against the latest malware threats. You should\u00a0check if MAPS is enabled on your PC<\/a>.<\/p>\n

Some additional preventive measures that you or your administrators can proactively do:<\/p>\n