The Nymaim payload dropped which has been to used infect computer victims with various malware has been updated by its developers to include new features. Learn all about them below.
Nymaim Gets an Update
Nymaim is one of the most often used payload droppers, being active since 2013. It is used in a variety of attacks that use it to spread ransomware and Trojans to the compromsied machines. This year security analysts reported a 63% increase in infections in comparison to last year. This indicates that the dropped is still popular among computer criminals. The creators of Nymaim used the code of another malware, Gozi, to create the hybrid banking Trojan GozNym.
The Nymaim dropper has replaced some of the drive-by download mechanisms that were used attack campaigns. Numerous malicious macro-infected Microsoft Word office documents were found in circulation.
The observed attacks appear to target high-level managers of companies and corporations. The contents of the phishing messages used harvested information and were of high quality design. They included the recipient’s full name and office address.
If the victims fell for the scam, they would open the attached file. The infected document posed as “protected” file that needed to be “unlocked” by enabling the dangerous Macro. The payload loader and the malware itself is carefully obfuscated to prevent detection and analysis by security vendors and experts.
New additions to Nymaim include the use of Powershell code to download a first-stage payload. Before the download is initiated, the macro queries MaxMind’s GeoIP services to determine if it includes service strings that could indicate the presence of security or analysis tools.
The response code from MaxMind’s servers give information about the location, IP address, organization name and other information about the network.
The malware can check if the following names are contained in the results:
Amazon, Anonymous, Bitdefender, blackoakcomputers, Blue Coat Systems, Cisco Systems, Cloud, Data Center, Dedicated, ESET, SPOL, Russia, FireEye, Forcepoint, Hetzner, Hosted, Hosting, LeaseWeb, Microsoft, NForce, North America, OVH SAS, Security, Server, Strong Technologies
This is extremely dangerous as it shows that the malware creators update their code constantly to evade anti-virus products and strategies. More and more malware continue to be difficult to detect by the security experts and, unfortunately, are contained only after significant damage has been unleashed against the computer victims.
What users can do to prevent malware infections is to follow good security practices. Do not download software from untrusted sources, P2P networks or other places where viruses often can be found. And do not open documents from people that you do not know.
Nymaim’s Update Reveals More Capabilities
The Nymaim malware includes a mdoule that compares the MAC address of the infected host with a list of blacklisted vendors. In-depth checks include expiration date, username hashes and various filenames. The virus computes a unique hash value for every environment variable set which is also compared to a built-in list.
Nymaim extracts the MAC address by using the UuidCreateSequential API which can generate a universally unique identifier (UUID) using the current time as a variable and the MAC address.
If you suspect that you are infected by a malware threat, then you can use a trusted anti-spyware tool that will remove all instances of ransomware, Trojans and other types of viruses.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
