A Trojan is now capable of fingerprinting MAC addresses to see if it is running in a virtualized environment, researchers said.
By figuring out if the machine is running in a virtual environment, the Nymaim Trojan is comparing the targeted machine’s MAC address against a hardcoded list. By doing that, the Trojan allows it to avoid virtual environments and thwart analysis tools, said researchers at SophosLabs.
This approach results in Nymaim losing some targets, but also means it escapes the automated antivirus sandboxes, which can buy an attacker precious time, SophosLabs researcher Sandor Nemes said.
“Malware that deliberately avoids showing its real behavior on an automated malware analysis system is frustrating,” Nemes said. “If they can successfully avoid a virtualized sandbox, someone has to analyze the sample manually, and the malware authors can win some time.”
This new approach, researchers said, ended up discovered in samples used in a campaign targeting German-speaking users.
Initially spotted in 2013, Nymaim is a downloader that combined with the Gozi banking Trojan.
This unification brought a new malware unit called GozNym. The original malware, however, continues to see action as the delivery platform for other threats, researchers said in a blog post.
The new version has a hardcoded expiration date, which after that date it stops working.
Deeper analysis showed when Nymaim does a check and fails, it keeps running for a while to make its failure less obvious. The list of identified Nymaim checks are below:
• Checks the current date against the hardcoded expiration date.
• Checks the hash of the username against a list of blacklisted username hashes.
• Checks the hash of the sample filename against a list of blacklisted filename hashes.
• Computes a hash value for every environment variable set. If the resulting value matches a hardcoded one, then it skips the rest of the checks. This was probably intended as a feature to allow easy debugging from the malware author’s side.
• Checks the MAC address of the computer against a list of blacklisted vendors.
• Computes a hash value for every filename in the C:\Windows directory to see if any of them matches the list of blacklisted filename hashes.
• Checks the hash of the computer against a blacklist of hashes.
• Queries the system BIOS version and video BIOS version from Windows registry and checks if it contains “VBOX” or “VirtualBox.”
In addition to checking the MAC address against a list of blacklisted vendors, the malware verifies the current date against the hardcoded expiration date, as well as the hash of the username against a list of blacklisted username hashes, and also checks the hash of the sample filename against a list of blacklisted filename hashes.