The Nymaim malware family was popular in 2013, though it has recently appeared again on the threat horizon. According to the ESET researchers, the malware marked a 63% increase in its attacks compared to the past year.
In general, the number of detections in the first half of this year is as high as all of the previous one, which makes it crystal clear that Nymaim has made an impressive comeback. The ESET experts claim that this year Poland was hit the most by Nymaim (54% of detections), followed by Germany (16%) and USA (12%).
The previous version of Nymaim relied on drive-by-downloads for infection, while the new Nymaim variant is being distributed via spear-phishing email campaigns. These emails include a Microsoft Word .DOC file as an attachment, which contains a malicious macro and relies on social engineering to trick users into enabling it. When opened, the document shows scrambled text and users are prompted to “Enable Content to run in compatibility mode,” researchers say.
The message is formatted rather similarly to the warning bar of the recent Microsoft Word versions, which usually informs users that macros have been disabled in the opened document. The malicious macro is detected as VBA/TrojanDownloader.Agent.BCX and it downloads the Nymaim payload, saving it to a new executable file in the temporary folder (%temp%). After that, it executes it. According to the security experts, the malware uses a two-stage downloader which is associated with file-encoding ransomware as the final payload.
Most probably, the analyzed sample was created on May 17, 2016, while the malicious document is dated May 18. Due to the fact that the variant family was first detected in October 2015, the researchers think that hackers decided to repackage Nymaim into a new sample for this specific infection campaign.
In addition, the ESET team reports that highly targeted Nymaim attacks were observed in Brazil, aimed at financial institutions, although the country accounts for only 0.07% of incidents involving this sample, placing it 11th in the list. When the overall detection statistics for Nymaim variants since 2015 are considered, Brazil takes place 39.
“A prevention strategy for this threat can be put in place by blacklisting the IPs contacted by this malware at the firewall and the URLs at a proxy, so long as your network supports this kind of filtering. Furthermore, it is important to make use of antimalware protection on your endpoints, along with anti-phishing and web control capabilities, and of course to keep it all up-to-date,” the experts from ESET state.
In April 2016, the IBM Security researchers found a hybrid Trojan which was a combination between the Nymaim dropper and the Gozi financial malware. The trojan was called GozNym and it was targeting European users in April, but last month it switched to major banks in USA.
