Step1 –<\/strong> The user receives a spam email with a malicious zip that contains a JavaScript file.<\/p>\n Spam emails sent in this campaign usually contain the below subject lines and attachment names to trick the user into opening the email.<\/p>\n <\/p>\n \u00a0<\/strong><\/p>\n Step2 – <\/strong>JavaScript execution<\/p>\n The JavaScript file has a long variable which is used to download \u201ccounter.js\u201d files from compromised websites. This \u201ccounter.js\u201d is responsible for switching into embedded PHP and download its PHP interpreter files which are, in turn, responsible for encryption.<\/p>\n <\/p>\n <\/p>\n After execution, files are encrypted without any extensions or name change. For encryption, a mix of AES-128 in ECB mode and RSA encryption algorithms are used in order to make the decryption of files more difficult.<\/p>\n After encryption, the below ransom note is displayed.<\/p>\n Along with with Nemucod Ransomware, the user\u2019s computer is infected with the Kovter fileless malware. Kovter hides in the Windows registry which is used in campaigns that generate fraudulent clicks on online ads to make money for the attacker.<\/p>\n How Quick Heal helps<\/strong><\/p>\n 1. Quick heal Email Protection<\/strong> successfully blocks such malicious attachments even before they infect the system.<\/p>\n 2. Quick Heal Virus Protection <\/strong>successfully detects and deletes the malicious script file used in the attack.<\/p>\n 3. The below graph shows the trend of the spam emails we received from 1st<\/sup> to 16th<\/sup> July 2017.<\/p>\n Security Tips<\/strong><\/p>\n <\/p>\n Acknowledgment<\/strong><\/p>\n For the last few weeks, we have been observing a new malicious spam (malspam) variant that is spreading via an email claiming to be from the United Parcel Service (UPS) carriages. The email carries a zip attachment that contains NemucodAES Ransomware and fileless Kovter Trojan. Earlier, such malspam campaigns were delivering Cerber Ransomware and Kovter […]<\/p>\n","protected":false},"author":29,"featured_media":84533,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-84523","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84523"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84523"}],"version-history":[{"count":4,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84523\/revisions"}],"predecessor-version":[{"id":84537,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84523\/revisions\/84537"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84533"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"nemucod1\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/07\/Nemucod1.jpg\")
\n\n
\n Subject Lines<\/strong><\/td>\n Attachment Names<\/strong><\/td>\n<\/tr>\n \n ***INFECTED*** Problems with item delivery n.004640147<\/td>\n UPS-Package-004640147.zip<\/td>\n<\/tr>\n \n ***INFECTED*** Problems with item delivery n.001656569<\/td>\n UPS-Label-001656569.zip<\/td>\n<\/tr>\n \n Parcel ID004692898 delivery problems please review<\/td>\n UPS-Receipt-004692898.zip<\/td>\n<\/tr>\n \n We could not deliver your parcel #004522553<\/td>\n UPS-Delivery-004522553.zip<\/td>\n<\/tr>\n \n Our UPS courier can not contact you (parcel #008284689)<\/td>\n UPS-Parcel-ID-008284689.zip<\/td>\n<\/tr>\n \n Notification status of your delivery (UPS 5952930)<\/td>\n UPS-Delivery-Details-5952930.zip<\/td>\n<\/tr>\n \n Notification status of your delivery (UPS 001387092)<\/td>\n UPS-Package-001387092.zip<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n ![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/07\/Nemucod2.jpg\")
![\"Fig3:](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/07\/Nemucod3.jpg\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/07\/Nemucod4.jpg\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/07\/Nemucod5.jpg\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/07\/Nemucod6-1.jpg\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/07\/Nemucod6.jpg\")
![\"Fig](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/07\/Nemucod8.png\")
\n
\n
\nPrashant Tilekar, Swati Gaikwad | Quick Heal Security Labs<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"