Why You Should K I S S ( Keep It Simple Stupid )

Office Macro Malware

Another Wonderful Nemucod Fail, Which Illustrates Why You Should K I S S ( Keep It Simple Stupid )

A quick update to  the never ending spoofed emails from FedEx, UPS and USPS ” cannot deliver your parcel ” malspam that generally delivers Locky ransomware and Kovter with the occasional Nemucod ransomware or Cerber ransomware thrown into the mix.

On 16 March 2017 I noticed a  slight change today where it looks like the “apprentice” coding the javascript file in the email attachment has tried to be too clever and resulted in a spectacular fail. Instead of the usual “counter.js” or “counter.txt ” that gives the current download sites and what malware to download & run it just gives the php interpreter file that they bundle with the malware downloads

In today’s version You can get to the malware downloads by removing the 4 from the end of “var m” will gives you the normal heavily obfuscated nemucod ransomware version message and the list of sites to download from. Substitute 1 for Locky and 2 for Kovter to get the normal payloads. Typically the javascript in the email attachment will add 1 – 5 on the end of var m to get the different payloads. They take the first site in “var x” add /counter/? var m add 1 -5 in turn and continue until each file has been downloaded to the computer, if any site doesn’t respond or hasn’t got the current malware version, it moves down the list to next site & so on.

In today’s version as you can see from the Payload Security report, it just downloads the same “innocent” file from each location in the “var x” when it is supposed to download the different malware files from each site.

The more obfuscation and tricks the bad guys try to avoid detections they more often they introduce bugs and typos that work in our favour and stop the malware being downloaded and run. The phrase that was drummed into me in early days of learning any sort of coding was K I S S . ( Keep it simple stupid).

Disclaimer, my coding skills are absolutely dreadful and I am only capable of very,very basic, extremely simple coding of any kind. so K I S S  really does apply to me.

A standard nemucod javascript downloader that works looks like this and the typical Payload Security report shows the full set of downloads and nemucod ransomware being invoked

Update 18 March 2017: Another mistake from this gang today. Once again an incorrect “var m” is hardcoded in the js file attachment. MALWR | Payload Security . If “var m” ends in a character( a-z, A-Z)  you get the counter.txt telling you which sites to download from & what malware to download.  If “var m” ends in a number 0-9 you either get an empty file or in the case of 1-5 various files associated with the malware kit. 1 is normally Locky, occasionally Cerber and very rarely has been sage ransomwares. 2 is always kovter. 3 and 4 are innocent php interpreter files that the malware uses to do its nefarious deeds. 5 ( when it exists) is a php list of file types to encrypt. Some days or weeks 5 does not exist & the list of file types to encrypt is hard coded into one of the other files.

As you can see from the online sandbox reports the failure to K I S S is working well again today and all sites are downloading a 0 byte harmless empty file but if you do a little bit of simple editing of the javascript file and correct the apprentice’s mistake  by removing the last digit to leave a character you get  MALWR  | Payload Security  both showing crypted files and nemucod ransomware at work

Direct downloads of the malware 1.exe ( Locky) VirusTotal 2.exe  ( kovter) VirusTotal

Currently counter/txt is nemucod ransomware. which delivers a very heavily obfuscated javascript file looking like this ( the original has about 100 extra lines )

Which when it is de-obfuscated looks like this and you end up with this txt file on your desktop ( and normally the same as a html desktop background) the bitcoin address and the download decryptor links are individual to each javascript attachment.  Every email attachment has a randomly hard coded address, which is embedded inside the Var “m” in the javascript