The Nymaim Trojan is now fingerprinting MAC addresses to see if it is running in a virtualized environment, SophosLabs security researchers warn.
The Trojan, often used to download additional malware onto compromised machines and recently associated with several ransomware campaigns, is comparing the targeted machine’s MAC address against a hardcoded list, which allows it to avoid virtual environments and thwart analysis tools.
This approach, SophosLabs researcher Sandor Nemes explains, results in Nymaim losing some targets, but also means that it escapes the automated antivirus sandboxes, which can buy an attacker precious time. The new behavior was observed in the samples used in a campaign targeting mostly German-speaking users.
Initially spotted in 2013, Nymaim is a downloader that was recently combined with the Gozi banking Trojan to spawn a brand new malware family called GozNym. The original malware, however, continues to be used as the delivery platform for various other threats, the security researchers have discovered.
The newly observed samples have a hardcoded expiration date, after which the threat stops working properly. Tricking it into running, the sample displays a message box with the text ‘Cannot view a PDF in a web browser’, then loads a DirectDraw graphics library and unsuccessfully try to load a non-existing DLL, but all these were found to be misdirection tactics.
The malware was found to include a list of checks and to continue running even after the checks fail, so as to make its failure less obvious. In addition to checking the MAC address against a list of blacklisted vendors, the malware verifies the current date against the hardcoded expiration date, as well as the hash of the username against a list of blacklisted username hashes, and also checks the hash of the sample filename against a list of blacklisted filename hashes.
What’s more, the malware was observed computing a hash value for every environment variable set and to check it against a hardcoded one. If it finds a match, the Trojan skips the rest of the checks and the researchers presume that this was intended to enable the author to perform fast debugging.
Nymaim was also observed computing a hash value for every filename in the C:Windows directory to see if any of them matches the list of blacklisted filename hashes, verifying the hash of the computer against a blacklist of hashes, and querying the system BIOS version and video BIOS version from Windows registry and checks if it contains “VBOX” or “VirtualBox.”
The malware uses a custom hash algorithm instead of the actual strings, which takes less space and makes the hash less visible in the file than a string would be. Moreover, it also makes analysis more difficult, as researchers would need to brute-force the hash values to understand what they are looking for.
To extract the MAC address, Nymaim calls the UuidCreateSequential API, which generates a universally unique identifier (UUID) using the current time and the MAC address of the network card. With the first three bytes of the MAC address known as the OUI (organizationally unique identifier) and used to identify the vendor of the network card, the malware can check this value against a list to determine whether it runs in a virtualized infrastructure.
Nymaim was also seen using executables that feature a .com extension, which is an executable file format that has been around ever since MS-DOS. Although the malware has nothing to do with the MS-DOS COM format, the extension is used in an attempt to evade anti-malware tools that rely on the file extension to determine the file. Windows was designed to run the .com files when the user launches them, even if they are newer Windows executables.
Related: Nymaim Malware Attacks on the Rise Globally
Related: GozNym Trojan Targets Major US Banks
