TXT.TROJAN.NEMUCOD WITH CLAMXAV CODE
The code cycles through the list of sites until one succeeds: Perhaps with the hope of increasing its chances of success, recent versions have included multiple download locations, as seen in these examples: This was a single point of failure once that payload was removed, the attack would fail.
Until now, Nemucod came with one address (usually a compromised webserver) from which to try to download its payload. The first method to work is the one that gets used. To provide greater compatibility, the authors of Nemucod created a function that tries to connect using multiple methods: However, this could fail because of different infrastructure configurations (Windows version, proxy servers, etc). Step 1 – Choosing the right connection methodĮarlier versions of Nemucod only used one method to connect to the internet. To make it more readable, this code was deobfuscated from its heavily obfuscated original format. Let’s have a look at what the code does in more detail. In the more recent versions however, it’s somewhat less straightforward. In the past, the process was pretty simple: “User opens malicious file → File downloads payload → payload gets executed”.
One of the latest versions of Nemucod shows some notable changes over the older versions. Since then, the creators of the Nemucod “downloader” (the code responsible for downloading and executing malware like Locky) have been hard at work polishing their code. Some time ago, we detailed how the Locky ransomware infection process works. The creators of Nemucod, the code responsible for downloading and executing malware like Locky, have been hard at work polishing their code.
0 kommentar(er)
