We have already written about Nemucod downloader when it was paired with 7-Zip, this time we have spotted a new variant in the wild that appears to be a further evolution from previous versions. Before we dig into the analysis part, let’s take a quick look at the most recent history of Nemucod:

ReaQta has been monitoring a new and massive worldwide Locky ransomware spam campaign. The attacks are carried out in the usual way: a javascript file attached to an email message delivered to the victims, although this is the first campaign we have tracked that shows a different deployment behaviour. The javascript downloader usually retrieves Locky’s dropper […]

Nemucod is a Javascript downloader used to perform all kind of nasty stuff, recently a “ransomware” routine has been found in some samples, even if a simple one: a XOR with a predefined 255 bytes key. In other instances we have observed the download of a malicious executable responsible for the encryption process. What we will analyze this […]