{"id":1824,"date":"2024-09-25T07:10:34","date_gmt":"2024-09-25T07:10:34","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1824"},"modified":"2025-07-29T02:59:18","modified_gmt":"2025-07-29T02:59:18","slug":"ransomware-double-dip-is-the-same-group-behind-the-recent-nemucod-and-globeimposter-campaigns","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/ransomware-double-dip-is-the-same-group-behind-the-recent-nemucod-and-globeimposter-campaigns\/","title":{"rendered":"Ransomware double-dip: is the same group behind the recent Nemucod and Globeimposter campaigns?"},"content":{"rendered":"\n
\"\"\/<\/figure>\n\n\n\n

In the few weeks, the Nemucod and Globeimposter ransomware strains have been dusted off and launched against organizations across the globe. In analyzing the samples, LMNTRIX Cyber Defence Centre analysts discovered that the strains share a number of common of features, suggesting the two campaigns may have been coordinated to dovetail into each other. 

In this post, we\u2019ll analyse how the Nemucod Trojan Downloader \u2013 which was prolific in 2015 \u2013 had its delivery network upgraded to produce ransomware samples appending (.725) file extensions delivered through JavaScript attachments. Immediately following this, was a Globeimposter campaign which added (.726) encrypted file extensions to victim files.

Both variants were first identified in 2015 and used widely before witnessing a decline in distribution. Interestingly, in the weeks leading up to the recent campaign, both malware families had their payload versions updated.

Below, the Checkpoint <\/a>Threat Map illustrates the global ransomware attack trends during the last week of July and the first week of August \u2013 the period in which the Nemucod and Globeimposter campaigns were their most active.

\"\"

DELIVERY<\/strong>

The initial attack wave was carried out by the Nemucod Trojan downloader. Although the Command and Control (C2) servers communicating with the malware had been previously established for malware families like TeslaCrypt, Miruef, Crowti, this campaign differed as it included a JavaScript (JS) attachment embedded into the \u201c\\bUPS_Parcel_ID_\\d+\\s{0,3}\\b\\.zip\\b$\u201d. 

The malicious JS code is as follows:

\"\"

Above, we can see the C&C domains were statically added into the code (i.e. www.shiashop.com, lamancha.club and infosoft.pl) for payload download. The Globeimposter ransomware followed the same delivery method as Nemucod.

INFECTION CHAIN ANALYSIS<\/strong>
\"\"

After witnessing the similarities, our researchers decided to take a closer look at the infection chain. As expected, both ransomware families had the same technique, tactics and procedures (TTPs) adding further weight to the hypotheses that the two were linked. 

A.    NEMUCOD  <\/strong><\/em>

Static Analysis<\/strong>
<\/p>\n\n\n\n

 File name<\/strong><\/td> Nemocod.js<\/td><\/tr>
 File type<\/strong><\/td> Javascript (.js) file<\/td><\/tr>
 Md5 hash<\/strong><\/td> 662deb567110ce61b0efd921b594f66a<\/td><\/tr>
 SHA1 hash<\/strong><\/td> 3d43d4188fb7aa235b955aaf3edbbfd66d6562ae<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Upon viewing the obfuscated (.js) file code, several instances of wscript shell execution were observed:

 \"\"

 \"\"

\"\"

It also contained various encoded browser detection capabilities:

\"\"
<\/p>\n\n\n\n

 Below we can see the process by which Nemucod tries to establish communication with the C&C domain via encoded request:

\"\"

\"\"
<\/p>\n\n\n\n



On visiting the URL, an executable gets dropped in the %TEMP% location.

Dynamic Analysis<\/strong>

Executing the .js wscript established a connection with the IP address \u201c107.189.3.214\u201d as shown below:

\"\" 

This contacts the domain \u201czubairfazal[.]com\u201d to download another binary file (starting with \u2018MZ\u2019 \u2013 the identification marker of a portable executable):

\"\" 

Another binary \u201csYDqyCiKm1.exe\u201d and various other files are then subsequently dropped:  

\"\"

Once the necessary files are in place, \u2018sYDqyCiKm1.exe\u2019 starts executing in the background:

\"\" 

 A bat file, \u2018_tD2A9.tmp.bat\u2019, deletes the volume shadow copies using the \u2018vssadmin.exe Delete shadows\u2019 command, adds and removes some registries using \u2018reg add\u2019 and \u2018reg Delete\u2019 commands and changes the default file attributes using \u2018attrib command\u2019.

 \"\"

As a result, system files are encrypted with .725 extensions:

\"\"

The following files are also added:

\"\"
<\/p>\n\n\n\n

B.    GLOBEIMPOSTER RANSOMWARE<\/strong><\/em>

Static Analysis<\/strong>
<\/p>\n\n\n\n

 File Name<\/td> GlobeImposter.exe<\/td><\/tr>
 File type<\/td> Portable executable (PE) file<\/td><\/tr>
 Md5 hash <\/td> 25e8bf41343bda75a9170aad44094647<\/td><\/tr>
 SHA1 hash<\/td> 0976b97981640eab4b8c66dc48ed4547d4cb26e6<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Upon viewing the strings, there are several malicious API calls used by this malware sample:

\u2022    \u2018CreateFileW,Writefile\u2019 for file dropping 

\u2022    \u2018GetCommandlineA\u2019 for accessing windows command line

\u2022    \u2018GetFileAttributes\u2019 to check file permissions on the system

\u2022    \u2018GetStartupinfo\u2019 to confirm startup information while the system boots up

\u2022    \u2018Isdebuggerpresent\u2019 and \u2018VirtualAlloc\u2019 to check if the sample is running on a virtual machine

\"\"

Dynamic Analysis<\/strong>

On executing the malware sample, it was found that it initiates another child process with the same name as \u2018cmd.exe\u2019:

 \"\"

These processes then disappear from the processes list until only one instance of globeimposter.exe was left running:

 \"\"

After the initial execution of the instruction set, the encryption process starts, resulting in all the files on the user\u2019s system being encrypted with .726 extensions:

\"\"

 \"\"

 Two .bat files are also dropped in the %TEMP% location and are used to delete the volume shadow copies, some registry keys and change file attributes on the target system.

 \"\"

\"\"

 \"\"

INDICATOR OF COMPROMISE (IOC)<\/strong>
<\/p>\n\n\n\n

 File Name<\/strong><\/td> Md5 hashes<\/strong><\/td><\/tr>
 __t1065.tmp.bat<\/td> 32d8f7a3d0c796cee45f64b63c1cca38<\/td><\/tr>
 __t1969.tmp.bat <\/td> 32d8f7a3d0c796cee45f64b63c1cca38<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
 File Name<\/strong><\/td> Md5 hashes<\/strong><\/td><\/tr>
 BIT594E.tmp <\/td> d41d8cd98f00b204e9800998ecf8427e<\/td><\/tr>
 sYDqyCiKm1.exe <\/td> ece16814e892478cfb747662a49e6d9e<\/td><\/tr>
 __tD2A9.tmp  <\/td> d41d8cd98f00b204e9800998ecf8427e<\/td><\/tr>
 __tD2A9.tmp.bat <\/td> 32d8f7a3d0c796cee45f64b63c1cca38<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

CONCLUSION<\/strong>

The nexus between these two ransomware campaigns can be seen in the similar extensions added to the victim\u2019s encrypted files. Together with the sharing of common infrastructure, we can safely assume the same threat actors are behind both campaigns. We hope this analysis serves as starting point for the wider researcher community to dive deeper into the attacks in order make the attacker\u2019s fingerprint exposed when they inevitably resurface with another similar attack.  

 <\/p>\n","protected":false},"excerpt":{"rendered":"

In the few weeks, the Nemucod and Globeimposter ransomware strains have been dusted off and launched against organizations across the globe. In analyzing the samples, LMNTRIX Cyber Defence Centre analysts discovered that the strains share a number of common of features, suggesting the two campaigns may have been coordinated to dovetail into each other.  In […]<\/p>\n","protected":false},"author":1,"featured_media":1875,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1824","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1824"}],"version-history":[{"count":2,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1824\/revisions"}],"predecessor-version":[{"id":4167,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1824\/revisions\/4167"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1875"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}