Nemucod dot dot..WSF

The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension.

It is a variation of what has been observed since last year (2015) – the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file, using a file name of interest with .js or .jse as extension.

The following screenshots show how the malicious file attachment looks like in the recent campaign:

Example of how an email spam containing the latest version of Nemucod might look like

Figure 1: Example of how an email spam containing the latest version of Nemucod might look like

 

Example of how Nemucod malware looks like when extracted and opened with an archive viewer.

Figure 2: Example of how Nemucod malware looks like when extracted and opened with an archive viewer

What the double dots mean: Social engineering for unsuspecting eyes

As seen in the following file name samples, the double dot paired with the uncommon .wsf extension creates an illusion that the file name was either abbreviated, was intentionally omitted, or shortened by the system because it was too long:

  • profile-d39a..wsf
  • profile-e3de..wsf
  • profile-e7dc..wsf
  • profile-f8d..wsf
  • profile-fb50..wsf
  • spreadsheet_07a..wsf
  • spreadsheet_1529..wsf
  • spreadsheet_2c3b..wsf
  • spreadsheet_36ff..wsf
  • spreadsheet_3a8..wsf

Some might look at the sample file names and assume that they might originally have been a long unique string identifier consisting of random letters and numbers that could be a transaction ID, receipt number or even user ID:

  • profile-d39as1u3e8k9i3m4wsf
  • profile-e3dee1uwl8s10f3m4wsf
  • profile-e7dc4d1u3e83m4wsf
  • profile-f8dsdwsfe8k4i38wsf
  • profile-fb50s1u3l8k9i3m4wsf
  • spreadsheet_07as133e3k9i3e4wsf
  • spreadsheet_1529s15se8f9i3o6wsf
  • spreadsheet_2c3bs1u5dfk9i3m6wsf
  • spreadsheet_36ffs1ure8koei3d5ws
  • spreadsheet_3a8s1udwsf8s9i323wsf

However, this is not the case. These are script files that might contain malicious code which could harm your system.

Underneath the WSF

Windows Scripting File is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer you increased scripting flexibility. Because Windows script files are not specific to a script language, the underlying code can have either JavaScript or VBScript, depending on language declaration in the file. WSF acts as a container.

Underneath the WSF is the same typical Nemucod JScript code.

Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

Figure 3: Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

 

This Nemucod version leverages the @cc_on (conditional compilation) command. Such a command can possibly evade AV scanner detection. It tricks the AV scanners to think the command is part of a comment, thus preventing the AV scanners from interpreting it as an executable code.

Upon code decryption, the following URLs – where the malware payload is being hosted – are revealed:

  • hxxp://right-livelihoods.org/rpvch
  • hxxp://nmfabb.com/rgrna1gc
  • hxxp://www.fabricemontoyo.com/v8li8

Recent spam campaign and trends

The latest Nemucod telemetry for the past 15 days shows that it has constantly been active, although there haven’t been any huge spikes.

Daily detection trend for Nemucod. These are the unique machine encounters per day

Figure 4: Daily detection trend for Nemucod. These are the unique machine encounters per day

 

Geographic distribution of Nemucod. Data taken from July 3 to July 18, 2016

Figure 5: Geographic distribution of Nemucod. Data taken from July 3 to July 18,2016

 

Other than using ..wsf and @cc_on technique, we’ve also seen different and old tricks used as part of its social engineering tactics. This includes, but is not limited to:

  • Double extension (for example: <filename>pdf.js)
  • Invoice, receipt, and delivery related file names such as DHL, FedEx delivery, and so forth

Nemucod infection chain

Nemucod infection chain showing spam email distributing WSF which downloads and runs malware

Just like the Nemucod campaigns before this, the malware downloader payload includes ransomware, such as:

Mitigation and prevention

To avoid falling prey from this new Nemucod malware campaign:

Francis Tan Seng and Alden Pornasdoro
MMPC

https://blogs.technet.microsoft.com/mmpc/feed/