Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Nymaim Starts Using PowerShell to Download Payload

A recently discovered variant of the Nymaim dropper brings several new features and capabilities, including new obfuscation and delivery methods, the use of PowerShell, and what researchers call an interesting anti-analysis and anti-detection mechanism.

A recently discovered variant of the Nymaim dropper brings several new features and capabilities, including new obfuscation and delivery methods, the use of PowerShell, and what researchers call an interesting anti-analysis and anti-detection mechanism.

Nymaim has been around since 2013 and it has mainly been used as a dropper for other threats, including file-encrypting ransomware and banking Trojans. The malware has not attracted too much attention since 2013, until this year, when ESET reported seeing a 63 percent increase in infections compared to 2015. Nymaim’s authors also recompiled the malware with code taken from Gozi ISFB and created a hybrid banking Trojan dubbed GozNym.

ESET reported in July that Nymaim had replaced drive-by downloads as the delivery mechanism with spear-phishing emails carrying Macro-enabled Word documents. Verint’s Cyber Research team also noticed this change, but the company says a new variant it has analyzed also includes several other significant changes.

The attacks observed by Verint appeared to target high-level managers. In one of the emails seen by the company, the malicious email purported to come from a corporate financing manager and was sent to a VP of human resources. The message was well designed and it included both the recipient’s full name and office address.

When victims open the attached file, they are presented with a “protected” document and instructed to enable content, which leads to Macro code getting executed. Experts said strings and Macro methods were obfuscated to prevent analysis.

One new feature spotted in Nymaim involves the use of PowerShell to download a first-stage payload. However, before the payload is downloaded, the macro code queries MaxMind’s GeoIP services. The response obtained from this query is analyzed to determine if it includes various strings that could indicate the presence of security or analysis tools.

McAfee recently published a blog post detailing how Macro malware has been abusing MaxMind to avoid detection by security products.

In the case of Nymaim, if the MaxMind query response includes a string of interest, such as “data center,” “cloud” or the names of security vendors, the first stage payload is not downloaded.

Advertisement. Scroll to continue reading.

“This is another perfect example of how even relatively widespread threats are employing significantly more advanced methods of attack, distribution and obfuscation that not that long ago, would have been found in only the most advanced and targeted threats,” Verint researchers said in a blog post. “This trend is just getting stronger and means that “advanced” threats will continue to affect a wider range of victims than ever before.”

Related Reading: Magento Malware Hides Stolen Card Data in Image Files

Related Reading: Cisco Cracks GozNym Trojan DGA, Sinkholes Botnet

Related Reading: New Ursnif Variant Shows Developers Are Careless

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.