Nemty ransomware has partnered with Trik botnet which delivers Nemty to compromised computers. The criminals behind the botnet use the infected computers to send email spam and have been observed pushing out a wide range of malware families, now including Nemty. In the past, Nemty has been observed being spread via the RIG exploit kit, as well as via malicious spam campaigns targeting users in Korea and China, where the malware is attached inside an archive. 36% targets are located in China while Korea houses 40% of Nemty’s targets.
We observed a recent version of Trik delivering a tiny component that uses the Server Message Block (SMB) protocol and a list of hardcoded credentials to try to connect to remote computers with port 139 open.
First, the SMB component creates a registry entry. Trik then checks if the file winsvcs.txt is present or not in the %AppData% directory on the compromised computer. If winsvcs.txt is not present, the Nemty ransomware is downloaded and executed. If winsvcs.txt is present, the SMB component checks if it is running as a service or not. If it is not running as a service, the component tries to spread itself through the SMB protocol. To find targets, the SMB component generates random IP addresses then tries to connect to them on port 139. The malware can infect public IP addresses with port 139 open that are using any of the common administrator usernames and passwords on its list. If access is granted, the malware uses the SMB protocol to copy itself to the remote machine. It then uses the Windows Service Control Manager to start the SMB component’s process on the remote machine. It deletes shadow copies and backups before, rather than after encryption.
The developers behind the Nemty ransomware are constantly updating and improving its code, as well as its delivery methods, in an attempt to reach more victims.