Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Nymaim Starts Using PowerShell to Download Payload

A recently discovered variant of the Nymaim dropper brings several new features and capabilities, including new obfuscation and delivery methods, the use of PowerShell, and what researchers call an interesting anti-analysis and anti-detection mechanism.

A recently discovered variant of the Nymaim dropper brings several new features and capabilities, including new obfuscation and delivery methods, the use of PowerShell, and what researchers call an interesting anti-analysis and anti-detection mechanism.

Nymaim has been around since 2013 and it has mainly been used as a dropper for other threats, including file-encrypting ransomware and banking Trojans. The malware has not attracted too much attention since 2013, until this year, when ESET reported seeing a 63 percent increase in infections compared to 2015. Nymaim’s authors also recompiled the malware with code taken from Gozi ISFB and created a hybrid banking Trojan dubbed GozNym.

ESET reported in July that Nymaim had replaced drive-by downloads as the delivery mechanism with spear-phishing emails carrying Macro-enabled Word documents. Verint’s Cyber Research team also noticed this change, but the company says a new variant it has analyzed also includes several other significant changes.

The attacks observed by Verint appeared to target high-level managers. In one of the emails seen by the company, the malicious email purported to come from a corporate financing manager and was sent to a VP of human resources. The message was well designed and it included both the recipient’s full name and office address.

When victims open the attached file, they are presented with a “protected” document and instructed to enable content, which leads to Macro code getting executed. Experts said strings and Macro methods were obfuscated to prevent analysis.

One new feature spotted in Nymaim involves the use of PowerShell to download a first-stage payload. However, before the payload is downloaded, the macro code queries MaxMind’s GeoIP services. The response obtained from this query is analyzed to determine if it includes various strings that could indicate the presence of security or analysis tools.

McAfee recently published a blog post detailing how Macro malware has been abusing MaxMind to avoid detection by security products.

In the case of Nymaim, if the MaxMind query response includes a string of interest, such as “data center,” “cloud” or the names of security vendors, the first stage payload is not downloaded.

Advertisement. Scroll to continue reading.

“This is another perfect example of how even relatively widespread threats are employing significantly more advanced methods of attack, distribution and obfuscation that not that long ago, would have been found in only the most advanced and targeted threats,” Verint researchers said in a blog post. “This trend is just getting stronger and means that “advanced” threats will continue to affect a wider range of victims than ever before.”

Related Reading: Magento Malware Hides Stolen Card Data in Image Files

Related Reading: Cisco Cracks GozNym Trojan DGA, Sinkholes Botnet

Related Reading: New Ursnif Variant Shows Developers Are Careless

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.