Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Researchers Uncover Infrastructure Behind Chthonic, Nymaim Trojans

While analyzing malware that uses PowerShell for infection, Palo Alto Networks managed to uncover the infrastructure behind recent attacks that leveraged the Chthonic and Nymaim Trojans, along with other threats.

While analyzing malware that uses PowerShell for infection, Palo Alto Networks managed to uncover the infrastructure behind recent attacks that leveraged the Chthonic and Nymaim Trojans, along with other threats.

The analysis kicked off from one malicious sample, but resulted in security researchers from Palo Alto Networks being able to identify 707 IPs and 2,611 domains supposedly being utilized for malicious activity. While some of these resources are used to host malware, others are leveraged in other types of attacks and schemes, the researchers say.

Palo Alto Networks’ Jeff White explains that, while PowerShell is typically launched from Microsoft Office documents using VBA macros and is used to download and execute the actual malware, what determined the recent investigation was the fact that the analyzed code was downloading a file from the legitimate Notepad++ website.

After accessing the site to download the file directly and discovering that all looked normal, the researcher took a closer look at the VBA code and discovered multiple functions decoding information from various arrays, as well as the fact that the code was executing an already decoded PowerShell command.

By looking at variables in the PowerShell command, White eventually discovered 171 document samples, all fairly recent and all showing the same themes for lures, and also extracted the URLs used to download over two dozen payloads from half as many domains.

One of the discovered binaries, apparently compiled in August, was observed launching a legitimate executable and injecting code into it to “download further payloads through a POST request to various websites.” This behavior is shared across the original samples and White also matched observed HTTP requests to patterns already associated with the Chthonic banking Trojan.

Further analysis of the initial 171 documents revealed a set of 8 domains, while the analysis of POST and HTTP requests to them led the researcher to identifying over 5,000 observed samples as the Nymaim downloader Trojan.

Most of the samples came from only four sites: ejtmjealr[.]com, gefinsioje[.]com, gesofgamd[.]com, and ponedobla[.]bit. The ejtmjealr[.]com domain, the researcher points out, is clearly associated with ejdqzkd[.]com, a site discussed in a CERT.PL analysis of Nymaim earlier this year.

Advertisement. Scroll to continue reading.

Looking at the passive resolutions for the discovered domains, the researcher found a total of 707 IP addresses associated with them.

Some of the IPs had a shared infrastructure, and the researcher used reverse DNS to uncover more sites linked to them, including an “idXXXXX.top” pattern supposedly associated Nymaim (similar to the “ejXXXXX.com” domains).

This eventually led to the discovery of all the domains associated with the IPs, and allowed the researcher to single out two clusters of infrastructure that also interconnect.

The investigation also revealed the infrastructure is also used for the distribution of other malware families, such as the Locky ransomware.

The shared infrastructure is also used to host a forum of illegal services, while some clusters of domains are “used by the Hancitor malware dropper to host the initial check-in and tracking.”

The security researchers published the lists of 707 IPs and 2,611 domains uncovered as part of this investigation on GitHub.

“These findings represent a collection of compromised websites, compromised registrar accounts used to spin up subdomains, domains used by malware DGA’s, phishing kits, carding forums, malware C2 sites, and a slew of other domains that revolve around criminal activity,” Palo Alto’s researcher concludes.

Related: RIG Exploit Kit Infrastructure Disrupted

Related: Nymaim Trojan Fingerprints MAC Addresses to Bypass Virtualization

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.