One of the most active Trojans this year has changed tactics and now installing backdoors on target machines instead of ransomware.
Nemucod was used in several large campaigns in 2016, having reached a 24 per cent share on global malware detections in March this year, according to the firm. In the past, Nemucod payloads were primarily ransomware families, most frequently Locky or the now-discontinued TeslaCrypt. But now it has changed to serve up a backdoor.
According to security researchers at ESET, the backdoor detected is Kovtar. As a backdoor, this Trojan allows the attacker to control machines remotely without the victim’s consent or knowledge. Researchers said the variant analysed has been enhanced by ad-clicking capability delivered via an embedded browser. The Trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads. The number of threads can change, according to commands from the attacker but can also alter them automatically since Kovter monitors the computers’ performance level. If the computer is idle, the malware may allocate more resources to its activities until further user activity is detected.
This article originally appeared at scmagazineuk.com