In 2016 Nymaim malware resurfaced and is spreading via an intensive spearphising campaign utilizing malicious Microsoft Word attachments.
Since the original strain of Nymaim was detected back in 2013, with its kill chain and evasion techniques, over 2.8 million infections have resulted. In the first half of 2016, ESET has again observed a marked increase in Nymaim detections.
Principally affecting Poland (54% of detections), Germany (16%) and the United States (12%), the refreshed variant was detected as Win32/TrojanDownloader.Nymaim.BA, reemerging as a spearfishing campaign complete with a malicious attachment (Word.Doc) containing “trick” Marcos. Used to circumvent default Microsoft Word security settings via social engineering, the approach is fairly convincing in English versions of MS Word.
“With its advanced evasion techniques, obfuscation, anti-VM, anti-debugging and control flow capabilities, this two-stage downloader, which used to deliver ransomware as its final payload, has now evolved and is being used to deliver spyware “ says Cassius de Oliveira Puodzius, Security Researcher at ESET Latinoamerica.
In April, the aforementioned version was joined by a hybrid variant of Nymaim and Gozi, its target, financial institutions in North America, also spereading to Latin America, principaly Brazil. This variant has provided attackers remote control over compromised computers instead of the usual file encryption or lock out.
Due to the similarities between targets found in countries with high and low detection rates, we can be relatively confident that financial institutions remain at the center of this campaign.
“Full documentation of this threat is still underway. However, if you suspect that your computer or network has been compromised, we recommend you check the IPs and URLs shared in the full article are not found in your firewall and proxy logs. Either way, a prevention strategy for this threat can be put in place by blacklisting the IPs contacted by this malware at the firewall and the URLs at a proxy, so long as your network supports this kind of filtering,” concludes Puodzius.
Read the whole analysis on ESET’s news blog, Welivesecurity.com.
[su_box title=”About ESET®” style=”noise” box_color=”#336588″][short_info id=’60260′ desc=”true” all=”false”][/su_box]
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Most Active Commenters
Meta’s fine over data privacy breaches underscores the critical challenges…
Hi, Thanks, that is really useful information. I do have…
“This is a very worrying attack that hit T-Mobile and…
“This latest cyberattack against T-Mobile may be smaller than previous…
“Genesis Market is a complex global criminal access marketplace. Buyers…