Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Nymaim Trojan Fingerprints MAC Addresses to Bypass Virtualization

The Nymaim Trojan is now fingerprinting MAC addresses to see if it is running in a virtualized environment, SophosLabs security researchers warn.

The Nymaim Trojan is now fingerprinting MAC addresses to see if it is running in a virtualized environment, SophosLabs security researchers warn.

The Trojan, often used to download additional malware onto compromised machines and recently associated with several ransomware campaigns, is comparing the targeted machine’s MAC address against a hardcoded list, which allows it to avoid virtual environments and thwart analysis tools.

This approach, SophosLabs researcher Sandor Nemes explains, results in Nymaim losing some targets, but also means that it escapes the automated antivirus sandboxes, which can buy an attacker precious time. The new behavior was observed in the samples used in a campaign targeting mostly German-speaking users.

Initially spotted in 2013, Nymaim is a downloader that was recently combined with the Gozi banking Trojan to spawn a brand new malware family called GozNym. The original malware, however, continues to be used as the delivery platform for various other threats, the security researchers have discovered.

The newly observed samples have a hardcoded expiration date, after which the threat stops working properly. Tricking it into running, the sample displays a message box with the text ‘Cannot view a PDF in a web browser’, then loads a DirectDraw graphics library and unsuccessfully try to load a non-existing DLL, but all these were found to be misdirection tactics.

The malware was found to include a list of checks and to continue running even after the checks fail, so as to make its failure less obvious. In addition to checking the MAC address against a list of blacklisted vendors, the malware verifies the current date against the hardcoded expiration date, as well as the hash of the username against a list of blacklisted username hashes, and also checks the hash of the sample filename against a list of blacklisted filename hashes.

What’s more, the malware was observed computing a hash value for every environment variable set and to check it against a hardcoded one. If it finds a match, the Trojan skips the rest of the checks and the researchers presume that this was intended to enable the author to perform fast debugging.

Nymaim was also observed computing a hash value for every filename in the C:Windows directory to see if any of them matches the list of blacklisted filename hashes, verifying the hash of the computer against a blacklist of hashes, and querying the system BIOS version and video BIOS version from Windows registry and checks if it contains “VBOX” or “VirtualBox.”

The malware uses a custom hash algorithm instead of the actual strings, which takes less space and makes the hash less visible in the file than a string would be. Moreover, it also makes analysis more difficult, as researchers would need to brute-force the hash values to understand what they are looking for.

To extract the MAC address, Nymaim calls the UuidCreateSequential API, which generates a universally unique identifier (UUID) using the current time and the MAC address of the network card. With the first three bytes of the MAC address known as the OUI (organizationally unique identifier) and used to identify the vendor of the network card, the malware can check this value against a list to determine whether it runs in a virtualized infrastructure.

Nymaim was also seen using executables that feature a .com extension, which is an executable file format that has been around ever since MS-DOS. Although the malware has nothing to do with the MS-DOS COM format, the extension is used in an attempt to evade anti-malware tools that rely on the file extension to determine the file. Windows was designed to run the .com files when the user launches them, even if they are newer Windows executables.

Related: Nymaim Malware Attacks on the Rise Globally

Related: GozNym Trojan Targets Major US Banks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.