One of the most active Trojans this year has changed tactics and now installing backdoors on target machines instead of ransomware.

Nemucod was used in several large campaigns in 2016, having reached a 24 per cent share on global malware detections in March this year, according to the firm. In the past, Nemucod payloads were primarily ransomware families, most frequently Locky or the now-discontinued TeslaCrypt. But now it has changed to serve up a backdoor.

According to security researchers at ESET, the backdoor detected is Kovtar. As a backdoor, this Trojan allows the attacker to control machines remotely without the victim’s consent or knowledge. Researchers said the variant analysed has been enhanced by ad-clicking capability delivered via an embedded browser. The Trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads. The number of threads can change, according to commands from the attacker but can also alter them automatically since Kovter monitors the computers’ performance level. If the computer is idle, the malware may allocate more resources to its activities until further user activity is detected.

The current version spreads Kovter as an email ZIP attachment pretending to be an invoice and containing an infected executable JavaScript file. In a blog post, security researcher Ondrej Kubovic said that if  the user “falls for the trap and executes the infected file – the Nemucod downloader – it downloads Kovter onto the machine and executes it.”

This article originally appeared at

Source link