Nemucod dot dot..WSF
The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension.
It is a variation of what has been observed since last year (2015) – the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file, using a file name of interest with .js or .jse as extension.
The following screenshots show how the malicious file attachment looks like in the recent campaign:
Figure 1: Example of how an email spam containing the latest version of Nemucod might look like
Figure 2: Example of how Nemucod malware looks like when extracted and opened with an archive viewer
What the double dots mean: Social engineering for unsuspecting eyes
As seen in the following file name samples, the double dot paired with the uncommon .wsf extension creates an illusion that the file name was either abbreviated, was intentionally omitted, or shortened by the system because it was too long:
- profile-d39a..wsf
- profile-e3de..wsf
- profile-e7dc..wsf
- profile-f8d..wsf
- profile-fb50..wsf
- spreadsheet_07a..wsf
- spreadsheet_1529..wsf
- spreadsheet_2c3b..wsf
- spreadsheet_36ff..wsf
- spreadsheet_3a8..wsf
Some might look at the sample file names and assume that they might originally have been a long unique string identifier consisting of random letters and numbers that could be a transaction ID, receipt number or even user ID:
- profile-d39as1u3e8k9i3m4wsf
- profile-e3dee1uwl8s10f3m4wsf
- profile-e7dc4d1u3e83m4wsf
- profile-f8dsdwsfe8k4i38wsf
- profile-fb50s1u3l8k9i3m4wsf
- spreadsheet_07as133e3k9i3e4wsf
- spreadsheet_1529s15se8f9i3o6wsf
- spreadsheet_2c3bs1u5dfk9i3m6wsf
- spreadsheet_36ffs1ure8koei3d5ws
- spreadsheet_3a8s1udwsf8s9i323wsf
However, this is not the case. These are script files that might contain malicious code which could harm your system.
Underneath the WSF
Windows Scripting File is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer you increased scripting flexibility. Because Windows script files are not specific to a script language, the underlying code can have either JavaScript or VBScript, depending on language declaration in the file. WSF acts as a container.
Underneath the WSF is the same typical Nemucod JScript code.
Figure 3: Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)
This Nemucod version leverages the @cc_on (conditional compilation) command. Such a command can possibly evade AV scanner detection. It tricks the AV scanners to think the command is part of a comment, thus preventing the AV scanners from interpreting it as an executable code.
Upon code decryption, the following URLs – where the malware payload is being hosted – are revealed:
- hxxp://right-livelihoods.org/rpvch
- hxxp://nmfabb.com/rgrna1gc
- hxxp://www.fabricemontoyo.com/v8li8
Recent spam campaign and trends
The latest Nemucod telemetry for the past 15 days shows that it has constantly been active, although there haven’t been any huge spikes.
Figure 4: Daily detection trend for Nemucod. These are the unique machine encounters per day
Figure 5: Geographic distribution of Nemucod. Data taken from July 3 to July 18,2016
Other than using ..wsf and @cc_on technique, we’ve also seen different and old tricks used as part of its social engineering tactics. This includes, but is not limited to:
- Double extension (for example: <filename>pdf.js)
- Invoice, receipt, and delivery related file names such as DHL, FedEx delivery, and so forth
Nemucod infection chain
Just like the Nemucod campaigns before this, the malware downloader payload includes ransomware, such as:
Mitigation and prevention
To avoid falling prey from this new Nemucod malware campaign:
- Use an up-to-date real-time antimalware product, such as Windows Defender for Windows 10.
- Ensure that Microsoft Active Protection Service has been enabled.
- Use Office 365 Advanced Threat Protection. It has a machine learning capability to help your network administrators block dangerous email threats. See the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.
- Be wary of emails with attachments having .wsf file extensions. It is uncommon and quite suspicious for people to send legitimate applications with such extensions through email. Attachments with “.wsf” extension and, more importantly, double dot extension are more likely to be dubious. Do not click or open these attachments.
- Use the AppLocker group policy to prevent dubious software from running. Add .wsf to the file types to block in your AppLocker Group Policy.
- Though ransomware and macro-based malware are on the rise, there’s still something that you or your administrators can proactively do:
- Ensure that a strong password policy is implemented throughout the enterprise.
- Disable the loading of macros in Office programs.
- Disable macro loading through the Group Policy settings.
- Keep your software up-to-date to mitigate possible software exploits.
- Protect derived domain credentials with Credential Guard for Windows 10 Enterprise.
- Secure your code integrity with Device Guard for Windows 10 Enterprise.
- Secure the lateral account movement in your enterprise.
- Use two-factor authentication with Microsoft Passport and Windows Hello.
Francis Tan Seng and Alden Pornasdoro
MMPC