{
	"id": "e77779ee-0b05-450b-9094-b912ee60b8ba",
	"created_at": "2026-04-06T00:10:10.246687Z",
	"updated_at": "2026-04-10T13:12:31.159388Z",
	"deleted_at": null,
	"sha1_hash": "79049dddb7b95aadd2f3a240e97c59777a7b80d4",
	"title": "return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 998153,
	"plain_text": "return of fake UPS cannot deliver malspam with an updated nemucod\r\nransomware and Kovter payload\r\nPublished: 2017-06-29 · Archived: 2026-04-05 16:33:02 UTC\r\nThe UPS failed to deliver messages have come back with a vengeance yesterday. I haven’t seen them in UK for  a while\r\nnow , but it looks like the Kovter gang have taken advantage of the Petya outbreak to add to the mix. They have updated the\r\nnemucod ransomware version to make it, on first look, impossible to decrypt at this time without paying the ransom\r\nUpdate 12 July 2017: Decryptor now available Download HERE\r\nThanks to the wonderful and dedicated techs at Emsisoft. There is now a decryptor for this ransomware. You can find a\r\nclear, easy to follow set of instructions on how to use the decryptor at Bleeping Computer\r\nImportant Notice: With this Nemucod Ransomware version your files get encrypted without changing file names or file\r\nextensions. The victim only knows his or her files are definitely  gone when they try to open them or see the changed\r\ndesktop background and ransom message. If an antivirus kicks in \u0026 removes the malware files and the desktop warning\r\nwhich frequently happens, then the victim only knows his or her files are definitely  gone when they try to open them.\r\nI recently came across ( off line)  a couple of examples where a victim asked for help with image files they could not open.\r\nOn careful examination we saw their anti-malware tool  had kicked in, removed ( or blocked the creation of ) the .hta file\r\nwhich displayed the “your Files are encrypted”  message and the original .js file, but had not detected or removed most of\r\nthe other files that actually do the encryption, so the victim did not know that their problem was caused by ransomware.\r\nUpdate 2 July 2017: now also using FedEx and delivering Kovter \u0026 Cerber ransomware, while the UPS continues\r\nsimultaneously delivering Nemucod ransomware and Kovter\r\nUpdate 7 July 2017: slight change to the js file in the emails  that delivers the ransomware and Kovter payloads (See below)\r\nUpdate 19 July 2017: I am informed that for the last couple of days these are only distributing the Nemucod php\r\nRansomware not Kovter. ( Kovter is still on the compromised download sites and manually available for download,\r\nalthough an older well detected  version). I have seen this before on odd occasions when the malware bad actors are in\r\nprocess of adding or changing one or more of the malware downloads. I would not be surprised to see a different\r\nransomware and backdoor payload being distributed in the next few days. Especially now there is a publicly available\r\ndecoder / decryptor so income for this gang will stop or vastly reduce with present versions.\r\nUpdate 23 July 2017: a change in the ransom note see below\r\nUpdate 30 July 2017: another change in js file see below\r\nUpdate 16 August 2017: there has been a 2 week break from these, but this morning they are starting to trickle in again. see\r\nbelow\r\nUpdate 19 August 2017: A change in behaviour today. They have switched back to using Locky ransomware as the payload\r\n ( see below) I haven’t seen Locky ransomware delivered by these fake  UPS delivery emails for over 6 months.\r\nUpdate 20 August 2017: yet another change today. now a html file attachment that pretends to be a word on line word\r\ndocument that cannot be read in your browser so you need to download \u0026 run the  plug in to make it work  See below\r\nThanks to Michael Gillespie a well known anti-ransomware campaigner  for his assistance and pointing me in the right\r\ndirection about the new nemucod ransomware version. If I hadn’t seen his tweet asking for samples, I would probably just\r\nignored this as a recurrence of the usual “failed to deliver” spam, scam messages pretending to come from all major delivery\r\ncompanies and added a foot note  to one of the other hundreds of posts on this blog about this persistent malware spreading\r\nmethod.\r\nIf you get infected by this or any other ransomware please check out the  ID Ransomware service which will help to identify\r\nwhat ransomware you have been affected by and offer suggestions for decryption\r\nThe emails are the same as usual ( you only have to look through this blog and search for UPS or FedEx or USPS and see\r\nhundreds of different examples and subjects)\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 1 of 11\n\nAnother researcher has created a video showing the infection chain with this ransomware. It clearly shows that the files get\r\nencrypted without changing file names or file extensions. The victim only knows his or her files are definitely  gone when\r\nthey try to open them or see the changed desktop background and ransom message.\r\nAn error occurred.\r\nTry watching this video on\r\nwww.youtube.com, or enable JavaScript if\r\nit is disabled in your browser.\r\nAnd this video also created by the same researcher with the newly updated version of the js file ( 7 July 2017 ). This video\r\nshows word being opened but no doc appearing, just garbled plain txt. while all the action happens in the background while\r\nyour attention is on the fake word doc. It clearly shows the encryption happening before the hta file that creates and displays\r\nthe ransom note is dropped and the desktop changed and ransom notes created.\r\nWe have been hearing about  some antiviruses block .hta file creation or delete them as soon as they are created before they\r\ncan display the ransom note. But not recognize or block the actual .js file and the subsequent php files from running, so\r\nallow the ransomware to work. Because there is no displayed note or background change the victim doesn’t realise their files\r\nhave been encrypted until they go to use them.\r\nAn error occurred.\r\nTry watching this video on\r\nwww.youtube.com, or enable JavaScript if it\r\nis disabled in your browser.\r\nbut there is a difference in the .js files that are coming in the zips.\r\nThe initial js looks very similar to previous but has much longer vars  ( var zemk) that is used to download the other files.\r\nThis file  looks like\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 2 of 11\n\nas usual you take the  first site name in var x and add /counter/? and then  var zemk to get the counter.js. these download\r\ncounter.js.  ( if the first site is not responding, it moves on to the other sites in the list). The first smaller counter.js is\r\ndownloaded when you use internet explorer to download it or an IE user agent in Wget. The second larger counter.js  is only\r\ndelivered when the js from the email is allowed to download it, or you use a “null” user agent via browser or wget  or use\r\nChrome or Firefox browser.\r\nthe small one looks like\r\nThe downloaded counter needs to be deobfuscated by using the specific var ruxk in the original js file  not the var zemk as in\r\nprevious versions giving\r\nThe larger counter (1) which is a transformed to the ( drops the embedded) php file  ( only a part shown in screenshot)\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 3 of 11\n\nwhich is decoded using the same vars as in earlier example to\r\nWhich in turn needs further decoding to make a working php file that actually does the encryption, which I decoded using\r\nthe online php decoding service http://www.unphp.net/decode/519e3ad90af1d2854b014a259e079e98/  giving something\r\nmore readable to humans\r\nWhere I am told the relevant part for our purposes is:\r\nShowing a high level of encryption that at this time appears unable to be decrypted without paying the ransom.\r\nThis ransom note ( or something similar with different links gets displayed on the victim’s desktop\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 4 of 11\n\nThe original js  downloads 4 files  via the counter file1 is Kovter as usual, the second is unknown and there is a massive\r\n6.7mb php interpreter. The 2nd file won’t run without the php interpreter. It looks like it also belongs to PHP and both php\r\nfiles together are needed to run the downloaded php counter files to encrypt the computer\r\nYou get 3 identical named files, with different file extensions in THIS example from 4 July 2017  we got\r\n162citM2mvkp8bEpsLyUchneaUyauzndYZ.doc  which appears to be data and not a word doc that is somehow involved in\r\nthe ransomware\r\n162citM2mvkp8bEpsLyUchneaUyauzndYZ.php  ( VirusTotal)\r\n162citM2mvkp8bEpsLyUchneaUyauzndYZ.exe which is a genuine php interpreter file ( VirusTotal)\r\nAll 3 work together to do the ransomware and need to be called and run from the original js file and needs all files to be\r\ndownloaded to the correct places on the victim’s computer otherwise you don’t get ransomed\r\nthen  we got the Kovter malware payload as well from winnicemoldawii.pl/counter/?2  ( VirusTotal)\r\nFor some reason a manual download using Internet Explorer  browser or Wget  with an IE User Agent  of the URL in the\r\nemailed .js file will give a cut down version of the counter file which only gives Kovter \u0026 the innocent PHP files not the\r\nransomware, but using a null user agent or Firefox or Chrome gives the full counter as shown and made available in the\r\nPayloadSecurity report  which contains the embedded php ransomware file in encoded/obfuscated form. I suppose that this\r\nis intended to fool or create confusion for researchers who tend to use an IE user agent in Wget, because so much malware\r\nwants to use IE as a downloader because that is the default browser on many susceptible victim’s computers.\r\nwinnicemoldawii.pl/counter/?\r\n0000000162citM2mvkp8bEpsLyUchneaUyauzndYZ01260400MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwxpxEMYyKM9ghv4vg\r\neQJwKXMCcsTvSGfNW4hF_NZSEsKYjEn9GUxLPGcW1emZ92jcfltfODcX0RuI8cUUuHFkcH4bzAVAb32DVSS6QlhSVKYffqtfdzKEXiWKMrEAK\r\nmCCBQlaC7me9cOUxchwi9TetRquy4w1SvcAUIL4H8_IviuKtT7B-jbrkYqTbS5CpyqV1nDKg4xiwW-2MCHBE3yE-TKsOS9G35UwrO99GNcEMX3Ok2eFEEjjnipdLjTkYdvtt67RxK_hC_5YvB7flwIDAQABrRR99hCv_aYRHvQBjLN6Hlk554pvQ67j-PFrSY9rXarZYBubvEMJ0ImIg-Zm9wNMEmNOm-4S8UgLWyNXbEDCPzEt0\r\nNone of the online sandboxes were able to show encryption in action although they do show all the downloaded files ( I\r\ndon’t think any of the sandboxes are set to act on all retrieved files only .exe files). All the sandboxes did show error\r\nmessages about missing files and missing dependencies, that doesn’t happen on the majority of real computers.\r\nhttps://www.hybrid-analysis.com/sample/d167368409c3fa244e17cef06eb83174b03fc0397cb0d907daf30dfdba5e100e?\r\nenvironmentId=100\r\nhttps://jbxcloud.joesecurity.org/analysis/300085/1/html\r\nhttps://www.virustotal.com/en/file/d167368409c3fa244e17cef06eb83174b03fc0397cb0d907daf30dfdba5e100e/analysis/1498629470/\r\nThe Kovter download looks like it works separately to the ransomware but might actually be involved somewhere along the\r\nline.\r\nhttps://www.virustotal.com/en/file/21efa5573721890cdcf9481f613ccb7d633733f05bc29cfeae402802e382cc92/analysis/1498630707/\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 5 of 11\n\nhttps://www.hybrid-analysis.com/sample/21efa5573721890cdcf9481f613ccb7d633733f05bc29cfeae402802e382cc92?\r\nenvironmentId=100\r\nSites involved in this campaign found so far this week:\r\nresedaplumbing.com\r\nmodx.mbalet.ru\r\nartdecorfashion.com\r\neventbon.nl\r\nelita5.md\r\ngoldwingclub.ru\r\nwww.gloszp.pl\r\nnatiwa.com\r\ndesinano.com.ar\r\namis-spb.ru\r\nperdasbasalti.it\r\n120.109.32.72\r\ncalendar-del.ru\r\nindexsa.com.ar\r\nUpdate 2 July 2017: new sites found,  many of last week’s sites are still being used as well\r\nExample files:\r\nhttps://www.hybrid-analysis.com/sample/1e847dcfd6eeebee068e5be729ed4b0cc389d9e9557d5c8ad93225fa0192e2cf?\r\nenvironmentId=100\r\nhttps://www.virustotal.com/en/file/1e847dcfd6eeebee068e5be729ed4b0cc389d9e9557d5c8ad93225fa0192e2cf/analysis/1498977456/\r\nsingley-construction.com\r\nmebel-vito.ru\r\ndesinano.com.ar\r\nbox-m.org\r\nnikmuzschool.ru\r\n4southern.com\r\nmusaler.ru\r\nuploadmiller.miller-media.at\r\ncsasesores.com.ar\r\nvademecsa.com.ar\r\nvinoteka28.ru\r\nzgqyzjxh.com\r\nosadakrajenska.pl\r\nchymeres.org\r\nwww.mecanique-de-precision.net\r\nwinnicemoldawii.pl\r\nwww.agrimixxshop.com\r\nluxe-limo.ru\r\nUpdate 7 July 2017:  new sites include : ( still older sites being used as well ) But there is a slight change to the js file in the\r\nemail zip. I think it is basically a change in the order the instructions \u0026 vars are laid out rather than any major functional\r\nchange. They still download counter.js which contains an embedded php file which performs the ransomware attack along\r\nwith multiple other associated files and of course Kovter Trojan\r\nproduzirtransforma.com\r\nsharedocsrl.it\r\nferabusiness.com\r\nlamancha.club\r\nwww.shiashop.com\r\natagarden.com\r\nbennuakar.com\r\nblog.3yinaudio.com\r\nexpert5.ru\r\nserdcezemli.ru\r\ninfosoft.pl\r\nbeta.smk.dk\r\nanthonyadavies.co.uk\r\nemsp.ru\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 6 of 11\n\nanahata2011.ru\r\nsel.w.filipac.net\r\nekokond.ru\r\njesionowa-dental.pl\r\nwww.slayerevival.com\r\nb2stomatologia.pl\r\nsnw.snellewieken.nl\r\ndilaratahincioglu.com\r\nconnexion-zen.com\r\nchatawzieleni.pl\r\nongediertebestrijding.midholland.nl\r\nionios-sa.gr\r\ninfermierifktmatuziani.org\r\nit.support4u.pl\r\nbandanamedia.com\r\nwww.proleite.com.pt\r\nxn—2016-gwea7d0alb0d.xn--p1ai\r\nnavigator-vs.ru\r\nladeya.ru\r\ngimn5.by.\r\nxn--80aaumty.xn--p1ai\r\nfundacio.basquetcatala.cat\r\nlaurel.net.au\r\nintegralmea.com\r\nmagazin-mmv.ru\r\nkominki.szczecin.pl\r\nrealitybusiness.be\r\nnorthernhydro.co.uk\r\ndrmalishop.com\r\nrcproracing.com\r\nkingoffoodgarden.com\r\nw-iii.com\r\nhmymrmf.com\r\nsyesdzs.com\r\nhenri-le-roy.fr\r\neastmarine.com.sg\r\nupper-int.ru\r\nnewborn.cm\r\nmymrmf.com\r\nnkdeng.com\r\naimcompany.net\r\nbombayhospitalandtraumacentre.com\r\nheixiangzi.com\r\nangiti.by\r\nExample files today:\r\nUPS-Delivery-9106926.doc.js [virustotal] [payload security]\r\ncounter.js [virustotal]\r\n1CsnkH4ym42iWxo65QoRtFDC4aPD93QU7e2.exe [VirusTotal]  Kovter\r\n1CsnkH4ym42iWxo65QoRtFDC4aPD93QU7e.exe  [virustotal] same as been seeing for several months now.  php\r\ninterpreter\r\n1CsnkH4ym42iWxo65QoRtFDC4aPD93QU7e.doc [virustotal] not a doc file but some sort of data used in the attack. either\r\nto fool analysis or as part of the attack itself\r\n1CsnkH4ym42iWxo65QoRtFDC4aPD93QU7e.php [virustotal] which performs the ransomware attack Decoded Version\r\nhttp://www.unphp.net/decode/519e3ad90af1d2854b014a259e079e98/\r\nUpdate 23 July 2017: A change in the ransom note and a change in the decryptor download sites which is now the same\r\nrange of onion site as the payment sites rather than the compromised websites that are delivering the malware. This has\r\nchanged since last week to\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 7 of 11\n\nhttps://bgl3mwo7z3pqyysm.onion.link/?14ZqLvq8a8Fok1J7E3ZymqWPTUwX6Za2Gc\r\nhttps://bgl3mwo7z3pqyysm.onion.to/?14ZqLvq8a8Fok1J7E3ZymqWPTUwX6Za2Gc\r\nhttps://bgl3mwo7z3pqyysm.onion.casa/?14ZqLvq8a8Fok1J7E3ZymqWPTUwX6Za2Gc\r\nhttps://www.virustotal.com/en/file/f2281cdabf9498ee754740b69c41d15f3ba91a82eb61d34f2cd857acaeaab962/analysis/1500796303/\r\nhttps://www.hybrid-analysis.com/sample/f2281cdabf9498ee754740b69c41d15f3ba91a82eb61d34f2cd857acaeaab962?\r\nenvironmentId=100\r\nDecoded PHP at: http://www.unphp.net/decode/ce94e4156cb2012f70a6553a21f0f7d9/\r\nUpdate 30 July 2017: Over the last week we have noticed most zips have contained a 0 byte .js file. Then on Saturday 29\r\nJuly 2017, they started to reuse several of the very old sites from 1 month ago, most of which are cleaned up and no malware\r\non them. Then today Sunday 30 July 2017 emails coming with  several new sites and another slight change in the .js files,\r\nwhere several of the var \u0026 function names have changed and an extra layer of obfuscation applied. Still same onion site for\r\npayments. We are also noticing a slight change in some of the delivery emails. Instead of a generic Dear customer, they are\r\ninserting Dear \u003c recipient’s first name\u003e but only where the recipient has a definitely recognisable human  name. emails sent\r\nto recipients such as info@,  help@, customerservice@, scanner@, Xerox994@ etc all still get Dear customer.\r\njanken.fr\r\ndeezz-menswear.nl\r\nwomensjoy.ru\r\nkamint.ru\r\nmeble-wierzbowski.pl\r\nicemed.is\r\nproserindustries.com\r\neasy2ls.com\r\nprozor.ru\r\nzogg.ru\r\npink-moore.fr\r\nsionparquetbois.com\r\npfaudler.ru\r\nwallorail.be\r\nExample files:\r\nhttps://www.virustotal.com/en/file/f8fc70d9ceb046674b3ad22c0760c4fd28ec50a2c4f9de775933b208b804e1ad/analysis/1501390742/\r\nhttps://www.hybrid-analysis.com/sample/f8fc70d9ceb046674b3ad22c0760c4fd28ec50a2c4f9de775933b208b804e1ad?\r\nenvironmentId=100\r\nhttps://www.hybrid-analysis.com/sample/86bd1659314f319d13d22a5a745e0199c416d83ecd781d90d73d32ae215a1c2c?\r\nenvironmentId=100\r\nhttps://www.virustotal.com/en/file/86bd1659314f319d13d22a5a745e0199c416d83ecd781d90d73d32ae215a1c2c/analysis/1501392289/\r\nIt looks like the Payload Security  reports are showing a false positive ( along with VirusTotal ) on some sites on the same IP\r\nnumbers as the malware sites. In particular the Russian Red Cross Site is being flagged as malicious. I cannot see any\r\nsuspicious content on the links  but it might be worth the Red Cross webmaster investigating, just in case\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 8 of 11\n\nURL: http://redcross.ru/user/Image/php/sudinfo.php?1757779/article/2017-01-07/chez-nous-le-film-engage-du-belge-lucas-belvaux-qui-enerve-le-fn-video (AV positives: 2/65 scanned on 07/29/2017 15:12:59)\r\nURL: http://redcross.ru/user/Image/php/sudinfo.php?1685092/article/2016-10-01/rallye-de-france-thierry-neuville-reste-2e-mais-perd-du-terrain-sur-ogier (AV positives: 2/65 scanned on 07/29/2017 15:12:52)\r\nURL: http://redcross.ru/user/image/php/sudinfo.php?1721418/article/2016-11-18/la-justice-donne-raison-a-une-ado-de-14-\r\nans-en-phase-terminale-d-un-cancer-elle (AV positives: 2/65 scanned on 07/29/2017 06:18:30)\r\nUpdate 16 August 2017: there has been a 2 week break from these, but this morning they are starting to trickle in again. The\r\njs attachment and the resulting nemucod ransomware look functionally identical to the previous ones. Several of the sites are\r\nthe  same as the 30 July list with quite a few new additions\r\nplans-nature.fr\r\nrubinsteintaybi.es\r\ntaboo.su\r\nowczarekpodhalanski.pl\r\ntruckman73.ru\r\nproductoscobra.com\r\nthe100brasil.com.br\r\ncentraldosquadrinhos.com\r\nwww.jag.mako.hu\r\nwww.ecn.org\r\ndogtrainings.net\r\nx-rays.msk.ru\r\nvelhobrasil.com\r\njayveehr.com\r\ndbstech.co.nz\r\nExample Files and analysis reports\r\nhttps://www.virustotal.com/en/file/b5009e4137ad28cb4cc267c567e3dbd86842a411c09a2a7fa4c36b70c7537fd2/analysis/1502861631/\r\nhttps://www.hybrid-analysis.com/sample/b5009e4137ad28cb4cc267c567e3dbd86842a411c09a2a7fa4c36b70c7537fd2?\r\nenvironmentId=100\r\nUpdate 19 August 2017:\r\nwe are seeing a change today and although the original .js inside the zip is downloading a counter file from the compromised\r\nsites, this doesn’t appear to be nemucodaes ransomware today. It is still downloading the PHP interpreter and other php files\r\nbut also a new file that has poor VirusTotal detections. It appears to be Locky ransomware with a C2 185.75.46.193\r\nSites found so far involved today\r\nomegaclube.net.br\r\nep1.businesstowork.com\r\nspachristine.se\r\ntatunet.ddo.jp\r\ndrjadhavpathlab.com\r\nweddingandco.com\r\nlukehorgan.com\r\nreditec.info\r\ngritfitnesstraining.com\r\ndrjadhavpathlab.com\r\nstevecarlile.com\r\nblog.baytic.com\r\namirmanzurescobar.com\r\n\u003csitename\u003e/counter/?pKecCkHJqtPHrGaZbLw6g96nPUZlk0PbcP31T4AgY5rzyqa6RhRlp5-\r\nyz3Tp7DD8Ke2HYOg7K48BFetgvryWkHOAMPcieVNXhHY0SCvU5hYFzPbYyeviYtyt1v8TL6kc8i4l0\r\nwhich when decoded gives\r\n\u003csitename\u003e/counter/?aY5rzyqa6RhRlp5-\r\nyz3Tp7DD8Ke2HYOg7K48BFetgvryWkHOAMPcieVNXhHY0SCvU5hYFzPbYyeviYtyt1v8TL6kc8i4l +n where n is 2-4\r\nAnalysis reports\r\nhttps://www.hybrid-analysis.com/sample/3b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02?\r\nenvironmentId=100\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 9 of 11\n\nhttps://www.hybrid-analysis.com/sample/da40684ec0f603ca5bfdc99b958fa39d3b64f5aabb1096ce2570c478259f177e?\r\nenvironmentId=100\r\nhttps://www.virustotal.com/en/file/3b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02/analysis/1503142540/\r\nhttps://www.hybrid-analysis.com/sample/3b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02?\r\nenvironmentId=100\r\nUpdate 20 August 2017:\r\nYet another change to the delivery method this afternoon/evening\r\nEmails are still functionally similar but the attachment is now a html file that when opened pretends to be a word on line\r\nword document that cannot be read in your browser so you need to download \u0026 run the  plug in to make it work. The plugin\r\nis a js file that is exactly the same as yesterday’s files with the same sites hard coded in it\r\nEmail looks like:\r\nThe html file when opened looks like this in chrome browser. The link won’t work to download the zip file in Internet\r\nexplorer because it uses data:application/zip;base64,  which IE will not allow to open from a browser. Chrome \u0026 Firefox do\r\nopen them. This eventually delivers the same locky ransomware file that has been used for the last couple of days\r\nUPS-Label-01054634.doc.html\r\nhttps://www.virustotal.com/en/file/74ba7cfa43fb356af92afadbe5218e0b0acc7398287eab5c92ee76c070c22ea2/analysis/1503255385/\r\nhttps://www.hybrid-analysis.com/sample/74ba7cfa43fb356af92afadbe5218e0b0acc7398287eab5c92ee76c070c22ea2?\r\nenvironmentId=100\r\nInstall-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js\r\nhttps://www.virustotal.com/en/file/f51f3e32cd4ce8df35ab421cb6a023b1eda18bae6678dd026a9cec8f219a244e/analysis/1503255484/\r\nhttps://www.hybrid-analysis.com/sample/f51f3e32cd4ce8df35ab421cb6a023b1eda18bae6678dd026a9cec8f219a244e?\r\nenvironmentId=100\r\nLocky binary\r\nhttps://www.virustotal.com/en/file/3b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02/analysis/\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 10 of 11\n\nSource: http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nhttp://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/"
	],
	"report_names": [
		"return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434210,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79049dddb7b95aadd2f3a240e97c59777a7b80d4.pdf",
		"text": "https://archive.orkl.eu/79049dddb7b95aadd2f3a240e97c59777a7b80d4.txt",
		"img": "https://archive.orkl.eu/79049dddb7b95aadd2f3a240e97c59777a7b80d4.jpg"
	}
}