In 2016, Nemucod was the most frequently detected malware among the top 20 families shown in Figure 24
Adversaries use this downloader malware to distribute ransomware and
other threats, such as backdoor Trojans that facilitate click fraud.
Some variants of Nemucod also serve as engines for delivering the
Nemucod malware payload.
One reason Nemucod malware was so
prevalent in 2016, according to our threat researchers, is that its
authors frequently evolved this threat. Cisco identified more than 15
file extension and MIME combinations associated with the Nemucod family
that were used to deliver malware through the web. Many more
combinations were used to deliver the threat to users through email (Figure 28
file extension and MIME combinations (web and email) were designed to
point users to malicious .zip files or archives. Adversaries also reused
many combinations during the months we observed.
As Figure 29
shows, many Nemucod hashes are less than 2 days old when they are
detected. In September and October 2016, almost every binary related to
the Nemucod family that was blocked was less than a day old.