Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Nymaim Malware Attacks on the Rise Globally

Nymaim, a malware family that was prevalent in 2013, has reemerged strong on the threat landscape, marking a 63% increase in attacks compared to last year, ESET researchers warn.

Nymaim, a malware family that was prevalent in 2013, has reemerged strong on the threat landscape, marking a 63% increase in attacks compared to last year, ESET researchers warn.

Overall, the number of detections in the first half of 2016 is as high as all of 2015, clearly showing that the threat has made a comeback. According to ESET, Poland was hit the most by Nymaim this year (54% of detections), followed by Germany (16%) and the United States (12%).

Unlike the previous version, which relied on drive-by-downloads for infection, the new Nymaim variant is being distributed via spear-phishing email campaigns. These emails carry a Microsoft Word .DOC file as an attachment, which contains a malicious macro and relies on social engineering to trick users into enabling it.

The document shows scrambled text and users are prompted to “Enable Content to run in compatibility mode,” researchers explain. The message is formatted very similarly to the warning bar of recent Microsoft Word versions, which usually informs users that macros have been disabled in the opened document.

The malicious macro, detected as VBA/TrojanDownloader.Agent.BCX, downloads the Nymaim payload and saves it to a new executable file in the temporary folder (%temp%), then executes it. Researchers explain that the malware uses a two-stage downloader usually associated with file-encoding ransomware as the final payload.

The analyzed sample was supposedly created on May 17, 2016, while the malicious document is dated May 18. Because the variant family was first detected in October 2015, researchers suggest that attackers decided to repackage Nymaim into a new sample for this specific infection campaign.

Moreover, ESET reveals that highly targeted Nymaim attacks were observed in Brazil, aimed at financial institutions, although the country accounts for only 0.07% of incidents involving this sample, placing it 11th in the list. When the overall detection statistics for Nymaim variants since 2015 are considered, Brazil is in 39th place.

“A prevention strategy for this threat can be put in place by blacklisting the IPs contacted by this malware at the firewall and the URLs at a proxy, so long as your network supports this kind of filtering. Furthermore, it is important to make use of antimalware protection on your endpoints, along with anti-phishing and web control capabilities, and of course to keep it all up-to-date,” ESET researchers conclude.

In April this year, researchers at IBM Security discovered a hybrid Trojan that was a combination between the Nymaim dropper and the Gozi financial malware. Dubbed GozNym, the malware was seen targeting users in Europe at the end of April, but switched to targeting major banks in the United States last month.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.