Another wonderful nemucod fail, which illustrates Why you should K I S S ( Keep it Simple Stupid )
A quick update to the never ending spoofed emails from FedEx, UPS and USPS ” cannot deliver your parcel ” malspam that generally delivers Locky ransomware and Kovter with the occasional Nemucod ransomware or Cerber ransomware thrown into the mix.
In today’s version as you can see from the Payload Security report, it just downloads the same “innocent” file from each location in the “var x” when it is supposed to download the different malware files from each site.
The more obfuscation and tricks the bad guys try to avoid detections they more often they introduce bugs and typos that work in our favour and stop the malware being downloaded and run. The phrase that was drummed into me in early days of learning any sort of coding was K I S S . ( Keep it simple stupid).
Disclaimer, my coding skills are absolutely dreadful and I am only capable of very,very basic, extremely simple coding of any kind. so K I S S really does apply to me.
Update 18 March 2017: Another mistake from this gang today. Once again an incorrect “var m” is hardcoded in the js file attachment. MALWR | Payload Security . If “var m” ends in a character( a-z, A-Z) you get the counter.txt telling you which sites to download from & what malware to download. If “var m” ends in a number 0-9 you either get an empty file or in the case of 1-5 various files associated with the malware kit. 1 is normally Locky, occasionally Cerber and very rarely has been sage ransomwares. 2 is always kovter. 3 and 4 are innocent php interpreter files that the malware uses to do its nefarious deeds. 5 ( when it exists) is a php list of file types to encrypt. Some days or weeks 5 does not exist & the list of file types to encrypt is hard coded into one of the other files.
Which when it is de-obfuscated looks like this
Update 21 March 2017:
It looks like the malware gang distributing this malware must be reading my posts because today they have changed the scripts slightly so that they work “properly”. The downloaded counter.txt now explicitly uses “var m” from the original .js which is now hardcoded and embedded in counter.txt and tells it to add a number between 1 and 5 to the end and save the files as either .exe ( 1-4 ) or php (5). The 5.php is now base64 encoded but still contains the list of file types to encrypt. One further note of interest is that 1.exe does not appear to be Locky. I do not know what it is.
MALWR cannot run it & gives a 504 gateway time out everytime ( it is running all other samples properly today) Eventually MALWR has come up showing 1.exe is Locky. Payload Security gives a ” failed to save to webservice” error. VirusTotal just gives generic detections I am attaching a zip file of all of today’s files for researchers. P/W “infected” UPS-Package-3963845 Running the original .js through Payload Security doesn’t show 1.exe being downloaded or attempting to be run ( unless I am reading the deobfuscated counter.txt/js wrongly, it should be )