Another Wonderful Nemucod Fail, Which Illustrates Why You Should K I S S ( Keep It Simple Stupid )
A quick update to the never ending spoofed emails from FedEx, UPS and USPS ” cannot deliver your parcel ” malspam that generally delivers Locky ransomware and Kovter with the occasional Nemucod ransomware or Cerber ransomware thrown into the mix.
In today’s version as you can see from the Payload Security report, it just downloads the same “innocent” file from each location in the “var x” when it is supposed to download the different malware files from each site.
The more obfuscation and tricks the bad guys try to avoid detections they more often they introduce bugs and typos that work in our favour and stop the malware being downloaded and run. The phrase that was drummed into me in early days of learning any sort of coding was K I S S . ( Keep it simple stupid).
Disclaimer, my coding skills are absolutely dreadful and I am only capable of very,very basic, extremely simple coding of any kind. so K I S S really does apply to me.
Update 18 March 2017: Another mistake from this gang today. Once again an incorrect “var m” is hardcoded in the js file attachment. MALWR | Payload Security . If “var m” ends in a character( a-z, A-Z) you get the counter.txt telling you which sites to download from & what malware to download. If “var m” ends in a number 0-9 you either get an empty file or in the case of 1-5 various files associated with the malware kit. 1 is normally Locky, occasionally Cerber and very rarely has been sage ransomwares. 2 is always kovter. 3 and 4 are innocent php interpreter files that the malware uses to do its nefarious deeds. 5 ( when it exists) is a php list of file types to encrypt. Some days or weeks 5 does not exist & the list of file types to encrypt is hard coded into one of the other files.
Direct downloads of the malware 1.exe ( Locky) VirusTotal | 2.exe ( kovter) VirusTotal