Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Uncover Infrastructure Behind Chthonic, Nymaim Trojans

While analyzing malware that uses PowerShell for infection, Palo Alto Networks managed to uncover the infrastructure behind recent attacks that leveraged the Chthonic and Nymaim Trojans, along with other threats.

While analyzing malware that uses PowerShell for infection, Palo Alto Networks managed to uncover the infrastructure behind recent attacks that leveraged the Chthonic and Nymaim Trojans, along with other threats.

The analysis kicked off from one malicious sample, but resulted in security researchers from Palo Alto Networks being able to identify 707 IPs and 2,611 domains supposedly being utilized for malicious activity. While some of these resources are used to host malware, others are leveraged in other types of attacks and schemes, the researchers say.

Palo Alto Networks’ Jeff White explains that, while PowerShell is typically launched from Microsoft Office documents using VBA macros and is used to download and execute the actual malware, what determined the recent investigation was the fact that the analyzed code was downloading a file from the legitimate Notepad++ website.

After accessing the site to download the file directly and discovering that all looked normal, the researcher took a closer look at the VBA code and discovered multiple functions decoding information from various arrays, as well as the fact that the code was executing an already decoded PowerShell command.

By looking at variables in the PowerShell command, White eventually discovered 171 document samples, all fairly recent and all showing the same themes for lures, and also extracted the URLs used to download over two dozen payloads from half as many domains.

One of the discovered binaries, apparently compiled in August, was observed launching a legitimate executable and injecting code into it to “download further payloads through a POST request to various websites.” This behavior is shared across the original samples and White also matched observed HTTP requests to patterns already associated with the Chthonic banking Trojan.

Further analysis of the initial 171 documents revealed a set of 8 domains, while the analysis of POST and HTTP requests to them led the researcher to identifying over 5,000 observed samples as the Nymaim downloader Trojan.

Most of the samples came from only four sites: ejtmjealr[.]com, gefinsioje[.]com, gesofgamd[.]com, and ponedobla[.]bit. The ejtmjealr[.]com domain, the researcher points out, is clearly associated with ejdqzkd[.]com, a site discussed in a CERT.PL analysis of Nymaim earlier this year.

Looking at the passive resolutions for the discovered domains, the researcher found a total of 707 IP addresses associated with them.

Some of the IPs had a shared infrastructure, and the researcher used reverse DNS to uncover more sites linked to them, including an “” pattern supposedly associated Nymaim (similar to the “” domains).

This eventually led to the discovery of all the domains associated with the IPs, and allowed the researcher to single out two clusters of infrastructure that also interconnect.

The investigation also revealed the infrastructure is also used for the distribution of other malware families, such as the Locky ransomware.

The shared infrastructure is also used to host a forum of illegal services, while some clusters of domains are “used by the Hancitor malware dropper to host the initial check-in and tracking.”

The security researchers published the lists of 707 IPs and 2,611 domains uncovered as part of this investigation on GitHub.

“These findings represent a collection of compromised websites, compromised registrar accounts used to spin up subdomains, domains used by malware DGA’s, phishing kits, carding forums, malware C2 sites, and a slew of other domains that revolve around criminal activity,” Palo Alto’s researcher concludes.

Related: RIG Exploit Kit Infrastructure Disrupted

Related: Nymaim Trojan Fingerprints MAC Addresses to Bypass Virtualization

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.