Nymaim continues to evolve in its attempts to elude anti-virus software. The stubborn program is a malware dropper, first cited in 2013. Since then, the parasite has been modified a number of times to escape the watchful eye of security programs.
The analytics department at Verint reported about a new variant they have discovered. The research team obtained a sample of the malware through a macro, attached to a compromised Word document. This version of Nymaim accounts for a change in trends.
The code string has been modified for two key reasons. Improving the obfuscation technique is the perennial goal of renegade developers. The latest version of Nymaim is distributed through a different vector. The hackers have moved on from the drive-by-download method which was predominant for the original version of the malware. The new pattern for spreading Nymaim is phishing. Verint have published their analytics report to shed some light on the propagation vectors of the malware.
The other modification is to eliminate the blacklisted strings from the program’s code scheme. The purpose of this operation is to make the malware unrecognizable for security software. Evaluating the modified code string, the researchers came to the conclusion that avoiding identification by security programs is part of the new concept. Their analysis revealed that Nymaim has adopted “new delivery mechanisms, obfuscation methods, PowerShell usage and even an interesting form of ‘anti-security solution/analysis’ blacklisting”.
The malware performs a blacklist check to evaluate the victim’s Internet connection and his security software. The process is initiated shortly after the first stage of the payload launches. Nymaim uses a Maxmind query to reveal the properties of the Internet connection. The query results allow the rogue program to check the targeted system for an anti-virus utility. The malware will identify the AV tool and test its abilities. If it discovers a match to the blacklist string, it will terminate the payload without trying to download the next stage.
The latest modification on Nymaim marks a resurgence in the raids, as Verint have revealed in their statistics reports. According to the security company’s research, the rate of the malware’s attacks has climbed by 63% from last year.
