Skip to content ↓ | Skip to navigation ↓

Researchers are warning Nemucod – one of the most active Trojans this year – has resurfaced with a new campaign. This time, the malicious downloader appears to be infecting victims with an ad-clicking backdoor.

According to security researchers at ESET, the backdoor Trojan, called Kovter, allows the attacker to remotely control the machine without the user’s knowledge or consent.

“In the recently observed wave, malware operators are mainly focusing on the ad-clicking capability delivered via an embedded browser,” explained researchers in a blog post. “The Trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads.”

The backdoor can also monitor the machine’s available memory and CPU usage, ramping up the number of threads when the computer is idle until further user activity is detected.

“This helps the Trojan not overload the system and keep a low profile,” the researchers added.

To deliver the malware, cybercriminals trick unsuspecting users to open a malicious email ZIP attachment, which looks like an invoice and contains an infected executable JavaScript file.

Screen Shot 2016-08-12 at 10.22.56 AM
Source: ESET

Previously, Nemucod campaigns primarily served ransomware families, including Locky and the now discontinued TeslaCrypt. In late March, the Trojan accounted for 24 percent of ESET’s global malware detections, and in some countries, as much as half of all malicious files detected in 2016.

ESET researchers recommend users take the following precautions to avoid this threat:

  • If your email client or server offers attachment blocking by extension, block emails sent with .EXE, *.BAT, *.CMD, *.SCR and *.JS. files attached
  • Set your operating system to display file extensions to help identify the true type of file in case of dual extensions spoofing (e.g. “INVOICE.PDF.EXE” is not displayed as “INVOICE.PDF”)
  • If you frequently and legitimately receive this type of files, check who the sender is. If there is anything suspicious, scan the message and its attachments with a reliable security solution