The developers behind the Nemucod downloader, the code used in delivering ransomware, like Locky, have taken it up a notch, according to ESET researchers at We Live Security.
New iterations examined by the researchers had some “notable changes” that allow the malware to more easily connect to the internet using a number of methods to be accepted by different infrastructure configurations. As well, Nemucod is now being dispersed from a number of download locations, so now attacks will not be stopped by removing payloads.
Also, where previous versions arrived as common .exe binary files – which could be blocked, or at least detected, by firewalls, an IDS or UTM – the updated version downloads an obfuscated file, which launches a series of character substitutions that eventually renders the file content as a valid Windows executable file.
At this point the payload is clear for delivery. But, rather than run the .exe file directly, the latest versions of Nemucod create a .bat file that starts the executable, which subsequently executes the .bat file, and the user’s computer is infected.
The researchers conclude that those behind this code are working diligently to avoid detection by proxy servers and UTM gateways so as to better penetrate corporate environments.