NemucodAES Ransomware and Kovter Malware are Distributed as one Email Attachment

Cybercriminals continue to improve their malware distribution methods. A new spam campaign delivers both ransomware and click-fraud malware through the same email attachment. Bundling multiple types of malware may slowly become the new normal, as evidenced by the recent months. NemucodAES and Kovter are now on of these bundled items.

Bundling Malware is a Smart Decision

Making money as a cybercriminals is becoming more difficult. Even though malware and ransomware are still two popular industries, there is an incredible amount of competition. Every petty online pundit wants to make a few thousand dollars by infecting random computers and use the machine for nefarious purposes. Advanced cybercirminals will need to come up with new methods to stand out from the rest.

One potential way of solving this problem is by launching new dedicated email spam campaigns. Rather than focusing on the distribution of one malicious tool, we now see bundled concoctions appear. Researchers have come across an email campaign which delivers both NemucodAES ransomware and the Kovter click-fraud malware in the same email attachment. This means victims are at twice the risk than before, which is anything but a positive development.

These two types of malware bundled in a .zip email attachment. Once the recipient opens this file, they will see two separate JavaScript files. Double-clicking each file will trigger the download process for the ransomware and the click-fraud malware. It does appear this bundle of malware is only targeted at Windows users.

NemucodAES is related to the Nemucod Trojan Downloader, which was a big factor in the distribution of both Locky and TeslaCrypt throughout 2016. NemucodAES is not all that different and there is a free decryptor tool available to nullify this threat altogether. Kovter, on the other hand, is a nasty click-fraud malware variant which is not only difficult to detect, but also nearly impossible to get rid of through conventional means.

This is not the first time we see cybercriminals bundle multiple types of malware. Nor is it the first time Kovter is distributed alongside ransomware. In February of 2017, a similar spam campaign was detected which distributed Locky and Kovter. It is hard to gauge how successful that campaign was, though. Given this new attempt, there must be some merit to taking this particular route. it seems click-fraud malware is the new hot trend right now, and bundling it with ransomware can be a lucrative decision.

Even though the choice of NemucodAES is dubious at best, we can expect more of these combined payloads in the future. Criminals are looking for ways to make money one way or another. If that means they have to force two different types of evil onto consumers, so be it. We can only hope email service providers will attempt to block these nefarious distribution attempts in the future. It is impossible to tell how much damage can be done with these types of campaigns.