Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

New malware campaign spreads backdoor access

ESET : 19 August, 2016  (Technical Article)
ESET details the latest backdoor distribution, Nemucod which spreads ad-clicking backdoor malware
New malware campaign spreads backdoor access

Nemucod, the most active Trojan Downloader in 2016 is back with a new campaign. Instead of serving its victims ransomware, it delivers a backdoor detected by ESET as Win32/Kovter.

Nemucod was used in several large campaigns in 2016, having reached a 24% share on global malware detections on March 30, 2016. Local attacks in particular countries saw a prevalence level far above 50% throughout 2016. In the past, Nemucod payloads were primarily ransomware families, most frequently Locky or the now-discontinued TeslaCrypt. In the most recent campaign detected by ESET’s systems, Nemucod’s payload is an ad-clicking backdoor named Kovter.

As a backdoor, this Trojan allows the attacker to control machines remotely without the victim’s consent or knowledge. The variant analyzed by ESET researchers has been enhanced by ad-clicking capability delivered via an embedded browser. The Trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads. The number of threads can change, according to commands from the attacker but can also alter them automatically since Kovter monitors the computers’ performance level. If the computer is idle, the malware may allocate more resources to its activities until further user activity is detected.

As is standard with Nemucod, the current version delivering Kovter spreads as an email ZIP attachment pretending to be an invoice and containing an infected executable JavaScript file. If the user falls for the trap and runs the Nemucod-infected file, it downloads Kovter into the machine and executes it.

In connection with Nemucod, ESET security experts recommend sticking with the general rules for internet security and also the following the specific advice:

* If your e-mail client or server offers attachment blocking by extension, you may want to block emails sent with .EXE, *.BAT, *.CMD, *.SCR and *.JS. files attached
* Make sure your operating system displays file extensions. This helps to identify the true type of a file in case of dual extension spoofing (e.g. “INVOICE.PDF.EXE” does not get displayed as “INVOICE.PDF”).
* If you frequently and legitimately receive this type of files, check who the sender is and if there is anything suspicious, scan the message and its attachments with reliable security solution.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo