Nemty Ransomware Deployed via Payment Service Phish

Optiv ThreatDNA^TM is a real-time contextualized threat intelligence platform integrated into core Optiv services and products.

In late August a new ransomware strain, Nemty, was distributed in the wild. By early September reports emerged of a large online payment service phishing attack directing users, via a hostile link, to a remote site leveraging the Rig exploit kit (Rig EK) (MITRE ATT&CK T1189) to compromise computers into installing the ransomware.

Initial vector of attack

Nemty is confirmed to spread in the wild via phishing emails with a hostile URL. The remote site is an exploit landing page for the RIG exploit kit. If exploitation is successful, Nemty ransomware is installed on the computer.

Nemty uses a homoglyph deception attack in the phishing email related to the hostile link used in the attack. This enables attacks to leverage non-ASCII characters within a domain name as a form of obfuscation. To the human eye, on mobile or standard browsers, a Punycode rendered domain will likely look correct because of how data is manipulated as part of the attack strategy. If the attack is successful victims are tricked into clicking on a seemingly legitimate link but are directed to a remote, hostile RIG exploit kit landing page for exploitation and installation of Nemty ransomware.

The RIG EK, in the wild since 2014, is confirmed as a vector of attack with Nemty ransomware in 2019. Rig EK supports multiple exploit vectors with threats that Optiv ThreatDNA^TM has identified as the most common in 2019, listed by CVE: CVE-2018-4878 (Adobe Flash Player prior to version 28.0.0.161) and CVE-2018- 8174 (VBScript, multiple Windows OS). A multitude of additional exploits and configurations are known to be associated with this kit.

Unconfirmed open source intelligence sources also report Nemty can spread via compromised remote desktop connections.

Introduction to Nemty malware

The easiest way to identify Nemty ransomware is via the “NEMTY PROJECT” note it displays on a compromised computer. As is common with ransomware, the note informs the victim that their files are encrypted and attempts to extort payment via a remote website with a TOR link. Nemty asks for $1,000 USD in cryptocurrency as a ransomware payoff amount and uses the string “NEMTY” in the appended filename of encrypted files.

Cashback.exe Nemty sample

Optiv ThreatDNA^TM confirmed one Nemty ransomware sample in the lab with filename “Cashback.exe” (MD5 ed431f3209eb43d80fc3dbea1e994c9a, formerly hosted at hxxp://pp-back[.]info/Cashback.exe). Other filenames observed in early campaigns included but are not limited to “Temp.exe” and “ironman.exe.” Files that may be created on a local system during installation of the malware may include “iron.bmp,” ironman.exe (MD5 2e53705a6b9e70444ad77f274d741cd7), “temp,” and “temp.exe” (MD5 cbabf86a14c5b5da2fa40245fd69074a) inside a TEMP directory. Ironman.exe is a payload filename identified with several variants of Nemty. Some variants also contain static file data “Copyright ^© 2019, fdgudfgv” for Legal Copyright data. Packers identification varies for variants of this ransomware family.

Cashback.exe contains an invalid digital signature which appears to be unique to early samples of Nemty. Optiv confirmed this samples do not execute if installed from a CIS country IP visiting the RIG exploit kit landing page. Optiv also confirmed the ransomware to kill specific processes and services, as part of anti-malware-detection and survivability strategies, encryption of local data files and creation of a ransomware note using the format “_NEMTY_[Random Letters]_-Decrypt.txt.” Files encrypted by the malware are renamed to append a Nemty value such as _NEMTY_Lct5F3C_.”

pp-back[.]info (104.18.61[.]21, 104.18.60[.]21)

The domain was created September 5, 2019 and registered via Reg[.]RU to a private person allegedly residing in “Kolpashevo, RU (Tomskaya Oblasti province),” hosted on 104[.]18[.]61[.]21 as of September 17, 2019.

As of October 1, 2019, 63 samples were identified via anti-virus solutions calling a suspect or known malware strain “Nemty.” When the Optiv gTIC intelligence team leveraged ThreatDNA^TM tools, tactics and procedures (TTPs) to author an advisory in mid-September only 28 samples matched the same query. This suggests that Nemty has likely doubled in detection over a two-week period. This may be as a result of improved identification and attribution of the malware family or increased distribution via phishing attacks.

Pro-Commonwealth of Independent State (CIS) behavior

Nemty has a unique pro-Commonwealth of Independent State (CIS) behavior, where Nemty ransomware exits instead of executing if a visiting IP geolocation to the exploit site is from a CIS country. Nemty performs this query via a lookup to dp-ip[.]com using the URL hxxp://api.db-ip[.]com/v2/free/IP ADDRESS/countryName, where IP ADDRESS is that of the victim computer. CIS is a regional intergovernmental organization originally comprising 10 post-Soviet republics in Eurasia.

Closing comments

Ransomware threats are all too common, demanding best practices for computer security (especially as it relates to a few key preventative measures identified in this attack set):

Nemty represents the ongoing development and maturation of attacks by experienced threat actors. It contains configuration data that may suggest it’s being sold or leveraged as a service within the criminal underground. Nemty, coupled with a multitude of other ransomware threats in 2019, demands prioritization in all cybersecurity strategies, where preventative measures are the best course of action.