In 2016 Nymaim malware resurfaced and is spreading via an intensive spearphising campaign utilizing malicious Microsoft Word attachments.
Since the original strain of Nymaim was detected back in 2013, with its kill chain and evasion techniques, over 2.8 million infections have resulted. In the first half of 2016, ESET has again observed a marked increase in Nymaim detections.
Principally affecting Poland (54% of detections), Germany (16%) and the United States (12%), the refreshed variant was detected as Win32/TrojanDownloader.Nymaim.BA, reemerging as a spearfishing campaign complete with a malicious attachment (Word.Doc) containing “trick” Marcos. Used to circumvent default Microsoft Word security settings via social engineering, the approach is fairly convincing in English versions of MS Word.
“With its advanced evasion techniques, obfuscation, anti-VM, anti-debugging and control flow capabilities, this two-stage downloader, which used to deliver ransomware as its final payload, has now evolved and is being used to deliver spyware “ says Cassius de Oliveira Puodzius, Security Researcher at ESET Latinoamerica.
In April, the aforementioned version was joined by a hybrid variant of Nymaim and Gozi, its target, financial institutions in North America, also spereading to Latin America, principaly Brazil. This variant has provided attackers remote control over compromised computers instead of the usual file encryption or lock out.
Due to the similarities between targets found in countries with high and low detection rates, we can be relatively confident that financial institutions remain at the center of this campaign.
“Full documentation of this threat is still underway. However, if you suspect that your computer or network has been compromised, we recommend you check the IPs and URLs shared in the full article are not found in your firewall and proxy logs. Either way, a prevention strategy for this threat can be put in place by blacklisting the IPs contacted by this malware at the firewall and the URLs at a proxy, so long as your network supports this kind of filtering,” concludes Puodzius.
Read the whole analysis on ESET’s news blog, Welivesecurity.com.