Thanks to Kevin, Rajas, Angela, Ray, and Tophs for all the data, research, and output.
On the heels of RSA’s recent investigation into Cerber and Ransomware-as-a-Service (RaaS), additional consideration was given to other aspects of the ‘Crimeware circuit’ that might also be moving into a more commercialized role. The Nemucod Trojan’s recent evolution as of August-September of 2016, may well provide another fitting example of actors adapting to market forces. Not coincidentally, the JS/TrojanDownloader.Nemucod is currently being tracked as the second current ‘Top World Threat’ by ESET’s Virusradar[1], with an uptick of activity noted in the latter weeks of September.
Figure 1: Nemucod trending, courtesy of ESET Virusradar[2]
Historically speaking, Nemucod is a relatively well-known family that has often utilized malspam campaigns with the trojan delivering flavors of ransomware, ad-clickers, and other payloads. However, it is important to note that these payloads were typically each delivered in time-serial linear fashion; this appears to have changed for Nemucod. Evidence to this fact, analysis of detonated malware (from the week of September 19th) indicates that today’s Nemucod Trojan may be operating as an uncoupled delivery mechanism, capable of dropping not just Locky Ransomware, but a slew of other malicious portable executables (e.g., win32/kovter and win32/boaxxe).
Does this shift represent Nemucod actors adjusting their business model to better align core competencies with market demand, in this case for the distribution and delivery of a plethora of crimeware? It’s possible and even likely, especially considering the evolution of EK delivered Cerber RaaS. That being said, there is not yet a conclusive body of evidence today to prove or disprove the theory that Numecod actors have hung a shingle as distribution and delivery service providers.
Locky ransomware was one of the primary payloads noted in this investigation, and the executables observed demonstrate behavior consistent with Locky as described in previous security industry documentation. As with previous Nemucod campaigns, the attack vector used for this campaign was mostly e-mail, a sample of which can be seen below.
Figure 5: E-mail attack vector.
Meet the Nemucod Trojan. It is attached above as a non-password protected ZIP containing an HTA (HTML Application) file, which is encoded Javascript responsible for the delivery of one or more malicious payloads. This type of executable inherently brings agility to the actor’s operating model, because encoded JavaScript can easily be modified to reconfigure malware-serving domains or IPs. Add to this, the amount of bulletproof hosting available in countries with “less stringent laws and/or regulations”, and it becomes apparent how quickly Nemucod can launch or modify a campaign.
Another noteworthy observation was that community antivirus and malware detection capabilities typically mischaracterize Nemucod. Rather then identifying the trojan as a downloader and delivery mechanism, the community often categorizes Nemucod by the payload it most commonly. This fact has probably helped obscure Nemucod’s utility in delivering multiple flavors of ransom and other crimeware.
In the case of Locky, the delivered payload is a PHP interpreter, an additional PHP library, and then the download of a third PHP file, which uses a hard-coded encryption key to encrypt important files and rename them after its namesake, “.locky”. Once this routine has completed, the software then proceeds to inform the user and demand ransom.
Figure 2: Maltego snapshot of Locky Infrastructure
Post-delivery, observed a number of Locky .PHP check-ins via HTTP posts direct to IPs connections (e.g., userinfo.php, data/info.php, submit.php, amin.php). It is believed that these are initial check-ins by the ransomware once it has successfully installed itself. There were also a number of expected callbacks to 51.254.0.0/15, a known command and control (c2) infrastructure for Locky. In our malware samples, the majority of activity destined for 51.255.105.2, confirming it as a current Locky C2 site[3].
Figure 3: Sample of Locky’s direct-to-IP check-in, courtesy of VirusTotal[4]
In addition to this activity, a large number of callbacks were also seen heading to 51.255.107.30, which is likely critical infrastructure related to Locky malspam. This was demonstrated by a number of SMTP formatted port 80 callbacks to known infrastructure as well as the large number of POP, IMAP, and other mail related domains hosted therein. 51.255.107.30 itself hosts more than 50 mail related domains as well as a possible control panel (cpanel[.]rowz.[.]ru). Similar provisioning was noted across other nodes within the Locky infrastructure.
Figure 4: Additional Locky domains
Also not surprising, there were a number of connections to dynamic DNS provider checkip[.]dyndns[.]org, who has been a player in too many past crimeware campaigns to list.
While little detail currently exists on most open source ransomware trackers with regard to Locky payment processing, several candidate hosts were noted during the course of this research. First, in addition to it’s C2 role, 51.255.105.2 was found to be hosting more than 400 possible payment site domains matching a [8-20char DGA].[key].win pattern. 185.141.25.108 was also noted as a possible payment site host with a smaller number of [DGA].[DGA].top and [DGA].[DGA].pw patterned domains observed.
There was also handful of traffic to Eastern European hosting services (e.g., 185.162.8.101 Eurohoster hosting services out of Bulgaria) and privately registered Ukrainian infrastructure such as 107.181.187.228, identified as hosting obscure domains like m2.[]dreamboatoffer[.]com and horehjw19882[.]com, coincidentally owned by an IOS developer living in Ukraine. It’s not possible at this stage to determine if these artifacts are indicative of compromised infrastructure hijacked for Locky or possibly something more closely related to the actual group of Locky actors.
Figure 4: VirusTotal site scoring[5]
Another aspect of the Nemucod investigation revealed that many of the ‘Locky’ characterized hashes were false positive identifications (by several algorithms within VirusTotal) that actually demonstrated behavior more consistent with malvertising. These hashes made direct callbacks to Akamai CDN infrastructure (e.g., aka.ms) and are likely further examples of Nemucod’s evolved ability for multiple payloads and more importantly achieving multiple revenue streams.
Conclusion
While no significantly new technical understanding was developed during the course of this research. RSA was able to identify several Nemucod and Locky behaviors that are currently being evaluated for post-infection signature based detection in RSA Security Analytics (i.e. NetWitness). Additionally, the RSA FirstWatch Exploit Domain and FirstWatch Exploit IP threat intelligence feeds were updated as of September 28th, 2016 to include more than 3000 unique indicators of compromise (IOCs) for the Nemucod trojan as well as Locky ransomware it currently delivers.
In addion, a new App Rule is also available in Live. The query is:
rule="action = 'post' && risk.info = 'http direct to ip request' && content = 'application/x-www-form-urlencoded' && direction='outbound' && (extension = 'php' || extension = 'cgi' )
This rule should have a low false-positive rate, if you find anything to the contrary please let us know.
Perhaps more important than the technical discoveries though is the additional evidence this research contributes to the theory that crimeware actors are adopting commercially accepted market principles to refine their business models in order to increase profits and diversify revenue streams.
Footnotes
[1] http://www.virusradar.com/en
[2] http://www.virusradar.com/en/JS_TrojanDownloader.Nemucod/chart/month
[3] http://malware-traffic-analysis.net/2016/09/16/index3.html
[4] https://www.virustotal.com/intelligence/search/?query=81e85dcaf482aba2f8ea047145490493%C2%A0+
[5] https://www.virustotal.com/en/url/d188070f344a6645c451c0602ceb6afe0f9336fe1803df687eab1ae186f8b06c/analysis/1475167507/
