Like any product, there has to be updates and improvements in capabilities and that goes for malware as much as anything else.
So it is no surprise a variant of the Nymaim dropper is adding new capabilities to the marketplace like new obfuscation and delivery methods, and the use of PowerShell.
In existence since 2013, Nymaim has mainly seen action as a dropper for other threats, including ransomware and banking Trojans.
The malware has not attracted too much attention since 2013, until this year, when ESET researchers reported seeing a 63 percent hike in infections over the same six-month period last year.
Verint’s research team found this Nymaim variant serves as substantial evidence of two significant trends:
• The re-emergence and evolution of the Nymaim family. Not only is the malware family definitely back in action, it has gone through some dramatic changes.
• Another example of how even relatively widespread threats are employing significantly more advanced methods of attack, distribution and obfuscation that not that long ago, would have been found in only the most advanced and targeted threats. This trend is just getting stronger and means that “advanced” threats will continue to affect a wider range of victims than ever before.
Nymaim had replaced drive-by downloads as the delivery mechanism with spear-phishing emails carrying Macro-enabled Word documents, researchers said. It also appeared the attacks targeted high-level managers.
One malicious email supposedly came from a corporate financing manager and sent to a VP of human resources. The message was well designed and it included the recipient’s full name and office address.
When victims open the attached file, they are presented with a “protected” document and instructed to enable content, which leads to Macro code getting executed. Researches aid said strings and Macro methods ended up obfuscated to prevent analysis.
One new feature is the use of PowerShell to download a first-stage payload. However, before the payload downloads, the macro code queries MaxMind’s GeoIP services. The response obtained from this query is analyzed to determine if it includes various strings that could indicate the presence of security or analysis tools.