The following screenshots show how the malicious file attachment looks like in the recent campaign:<\/p>\n
Figure 1: Example of how an email spam containing the latest version of Nemucod might look like<\/em><\/p>\n <\/p>\n Figure 2: Example of how Nemucod malware looks like when extracted and opened with an archive viewer<\/em><\/p>\n As seen in the following file name samples, the double dot paired with the uncommon .wsf extension creates an illusion that the file name was either abbreviated, was intentionally omitted, or shortened by the system because it was too long:<\/p>\n Some might look at the sample file names and assume that they might originally have been a long unique string identifier consisting of random letters and numbers that could be a transaction ID, receipt number or even user ID:<\/p>\n However, this is not the case. These are script files that might contain malicious code which could harm your system.<\/p>\n Windows Scripting File is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer you increased scripting flexibility. Because Windows script files are not specific to a script language, the underlying code can have either JavaScript or VBScript, depending on language declaration in the file. WSF acts as a container.<\/p>\n Underneath the WSF is the same typical Nemucod JScript code.<\/p>\n Figure 3: Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (<\/em>conditional compilation)<\/em><\/p>\n <\/p>\n This Nemucod version leverages the @cc_on (conditional compilation)<\/a> command. Such a command can possibly evade AV scanner detection. It tricks the AV scanners to think the command is part of a comment, thus preventing the AV scanners from interpreting it as an executable code.<\/p>\n Upon code decryption, the following URLs – where the malware payload is being hosted – are revealed:<\/p>\n <\/strong><\/p>\n The latest Nemucod telemetry for the past 15 days shows that it has constantly been active, although there haven\u2019t been any huge spikes.<\/p>\n Figure 4: Daily detection trend for Nemucod. These are the unique machine encounters per day<\/em><\/p>\n <\/p>\n Figure 5: Geographic distribution of Nemucod. Data taken from July 3 to July 18,2016<\/em><\/p>\n <\/p>\n Other than using ..wsf and @cc_on technique, we\u2019ve also seen different and old tricks used as part of its social engineering tactics. This includes, but is not limited to:<\/p>\n Just like the Nemucod campaigns before this, the malware downloader payload includes ransomware, such as:<\/p>\n To avoid falling prey from this new Nemucod malware campaign:<\/p>\n![\"Example](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/nemu1.png\" "\\"Example")
<\/a><\/p>\n![\"Example](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/nemu2.png\" "\\"Example")
<\/a><\/p>\nWhat the double dots mean: Social engineering for unsuspecting eyes<\/h2>\n
\n
\n
Underneath the WSF<\/h2>\n
![\"Nemucod](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/nemu3.png\" "\\"Nemucod")
<\/a><\/p>\n\n
Recent spam campaign and trends<\/h2>\n
![\"Daily](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/nemu4.png\" "\\"Daily")
<\/a><\/p>\n![\"Geographic](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/nemu5.png\" "\\"Geographic")
<\/a><\/p>\n\n
Nemucod infection chain<\/h2>\n
![\"Nemucod](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/07\/nemu6.png\" "\\"Nemucod")
<\/a><\/p>\n\n
Mitigation and prevention<\/h2>\n
\n
\n