Over the course of 2016, the ESET research team has seen the number of Nymaim malware-related infections spike by 63% compared to the first half of 2015. By the end of June 2016, ESET researchers had seen more detections than all of 2015.
So far, Nymaim has resulted in more than 2.8 million infections, according to ESET. Those infections are mostly in Poland (54% of all Nymaim detections this year), Germany (16%) and in the US (12%). But, Nymaim has now made its way to South America, with attacks targeting financial institutions in Brazil.
“In Brazil we also observed highly targeted Nymaim attacks directed against financial institutions,” researchers said in a blog. “Despite the relatively low number of detections, which is to be expected due to the very specific target selection, Brazil accounts for 0.07% of all detection incidents involving this variant, placing it 11th in the list of countries where this variant was most often detected.”
Nymaim consists of a two-stage downloader usually associated with file-encoding ransomware as the final payload. The advanced evasion techniques, combining obfuscation, anti-VM, anti-debugging and control flow capabilities of this family are well-known, the researchers added. However, unlike its 2013 version, the new Nymaim has evolved and shifted to spearphishing campaigns. The emails contain a malicious Microsoft Word Doc file as an attachment, which uses a macro to do its dirty work.
Because default Microsoft Word security settings will prevent the macro from running, the document contains a couple of “tricks,” ESET said. First, the document contains a block of “garbled text”, presumably suggesting to the likely victim that something needs to be done to decode or decrypt it. Second, at the very top of the document is the message, “enable content to run in compatibility mode.” This message is formatted very similarly to the warning bar of recent Microsoft Word versions, which warns users that macros in the current document have been disabled.
Nymaim has been active in other ways as well. In April, a hybrid “franken-trojan” variant of Nymaim and Gozi was uncovered, targeting financial institutions in North America, and providing the attacker with remote control over the compromised computer instead of encrypting files or locking out the computer in exchange for money.
Photo © Leo Wolfert