Gamarue, Nemucod, and JavaScript

JavaScript is now being used largely to download malware because it’s easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod.

This JavaScript trojan downloads additional malware (such as Win32/Tescrypt and Win32/Crowti – two pervasive ransomware trojans that have been doing the rounds for a few years[1] – and Win32/Fareit) and installs it on a victim’s system through spam email.

Recently, however, we’ve seen another version of Nemucod distributing Gamarue malware to users.

Gamarue, also known as “Andromeda bot”, has been known to arrive through exploit kits, other executable malware downloaders (including Win32/Dofoil and Win32/Beebone), removable drives, and through that old stand-by: spam campaigns.

The shift to a JavaScript-obfuscated downloader might be an attempt by the malware authors to evade the increasing detection capabilities and sophistication in antimalware products.

A quick look into the obfuscated JavaScript code shows us that, aside from the encrypted strings, it uses variables with random names to hide its real code.

Sample of an obfuscated JavaScript code

Figure 1: Obfuscated code

 

The decrypted code is shown in the following image:

Sample of a decrypted JavaScript previously-obfuscated code

Figure 2: De-obfuscated code

 

Nemucod is known to have different hashes for each variant. For this one particular hash, since the detection was written in early April, 2016, it reached in total of 982 distinct machines with 4,192 reports – which indicates the number of Gamarue installations that could have occurred if it was not detected.

Nemucod detection rate

Figure 3:  Nemucod detection rate

 

Gamarue has been observed stealing vital information from your PC. It can also accept commands from a command and control (C&C) server. Depending on the commands received, a malicious hacker can perform various actions on the machine. See our family description of Win32/Gamarue for more information.

 

 

Nemucod impact

Since the start of 2016, Nemucod has risen in prevalence.

Rising Nemucod prevalence trend

Figure 4:  Rising Nemucod prevalence trend shows that it peaked on April

 

For the top 10 countries for Nemucod detections, the US takes a third, followed by Italy and Japan. The spread of infections is quite widespread across the globe.

Nemucod geoloc distribution from January to April 2016

Figure 5: Majority of the Nemucod infections are seen in the United States

Overall, however, it still remains relatively low, especially when compared to Gamarue.

 

Gamarue impact

Unlike Nemucod, Gamarue detections started high and have remained high since late last year. Overall, numbers have dropped a small amount since the start of 2016. Interestingly, there are large troughs during every weekend, with a return to higher numbers on Monday. This can indicate that Gamarue is especially pervasive either in enterprises, or in spam email campaigns.

Gamarue prevalence chart shows steady pattern from January to April 2016

Figure 6: The Gamarue infection trend shows a steady pattern

 

For Gamarue, the top 10 countries see distribution largely through India, Asia, Mexico, and Pakistan.

Gamarue geoloc distribution from January to April 2016

Figure 7: Majority of the Gamarue infection hits third world countries

 

Mitigation and prevention

To help stay protected from Nemucod, Gamarue, and other threats, use Windows Defender for Windows 10, or other up-to-date real-time product as your antimalware scanner.

Use advanced threat and cloud protection

You can boost your protection by using Office 365 Advanced Threat Protection and enabling Microsoft Active Protection Service (MAPS).

Office 365 helps by blocking dangerous email threats; see Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

Some additional preventive measures that you or your administrators can proactively do:

 

———————————————————————–

[1] We’ve published a number of blogs about Crowti, including:

It was also featured in the July 2015 version of the Malicious Software Removal Tool (MSRT):

 

Donna Sibangan

MMPC