Nymaim Dropper Updates Delivery, Obfuscation Methods

A new variant of the Nymaim dropper has been identified that includes updated delivery and obfuscation methods, and the use of PowerShell routines to download its payloads.

The updated dropper, used primarily to download banking Trojans in the past, has also been spreading ransomware, according to security company Verint, which has been monitoring an increasing number of attacks during the past year. Attacks using Nymaim are up 63 percent compared to 2015, said Verint security research manager Moshe Zioni.

In a report published last week, Zioni and colleague Oren Biderman said the latest generation of the dropper has “gone through some dramatic changes” and “deserves renewed attention” by security researchers.

Unlike the 2013 variant of the dropper, which was almost exclusively distributed via drive-by-downloads, the new incarnation brings to the table new features and is spread through spear phishing.

“New features and capabilities that have not yet been seen (in previous Nymaim variants), including new delivery mechanisms, obfuscation methods, PowerShell usage and even an interesting form of ‘anti-security solution/analysis’ blacklisting,” wrote Zioni and Biderman.

According to researchers, the latest Nymain samples target victims with emails that contain malicious Microsoft Word document attachments. “When opening the attachment, it looks like a classic phishing attempt, which tries to convince the user to enable (the) macro since the document is protected,” researchers said.

Closer examination of the malicious document’s strings revealed visual basic for applications (VBA) macro code has been obfuscated using a non-standard ROT mechanism. Previous analysis of Nymaim’s “obfuscation technique observed a ROT obfuscation mechanism, but what we had on our hands was different,” researchers wrote.

According to Zioni and Biderman the new obfuscation uses two types of tactics. “One is an effort to obfuscate strings in particular, the other is to make Macro methods virtually unreadable and cumbersome for the reverse engineer,” the researchers said. “String de-obfuscation is implemented by calculating a cyclic group of numbers that will lead to the correct reordering of the string.”

Another change includes the order of execution and implementation within the first stage of the payload drop after the malicious macro has been triggered. For starters, the PowerShell routine is initiated to order to download the first stage of the payload from a command and control server. Second, an additional “pre-execution” connectivity test is executed via a GET request to “https://www.maxmind.com/en/locate-my-ip-address” with a user-agent value of “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)”.

“The user-agent in-place was implemented in Internet Explorer 10 platform preview (2011), a somewhat peculiar choice for an up-to-date variant – may point to the origin of the mechanism’s code,” said Zioni and Biderman.

And in an attempt to prevent detection, the malware used the IP-address data via the GET request to blacklist any particular analysis tools with the sub-strings Fortinet, Cisco, Palo Alto and others. “If the sub-string is found to be within the response – it won’t approach the function of downloading the first stage payload,” according to researchers.

Researchers also point out, particular attention is paid into the social engineering portion of the attack. Victims are typically high level managers and the attackers try to maximize a recipient’s chances of opening and enabling Word macros that triggers the next phase of the attack.

“The email message includes the recipient’s job title in the subject line (“Vice President – Human Resources”), while the body of the message includes such details as the recipient’s full name and office address,” Verint said.

Phishing email containing Nymaim Trojan with subject "Vice President – Human Resources" and containing a "draft" document for recipient's review.

Phishing email containing Nymaim Trojan with subject “Vice President – Human Resources” and containing a “draft” document for recipient’s review.

Distribution domains  hosting Nymaim payload, according to Zioni and Biderman, have included silkflowersdecordesign[.]com/admin/worddata.dat. Typically, the name of the document matches the name of the targeted company and the attachment is a Microsoft Word 2007 file or newer. Last week, Microsoft moved to neutralize the threat of malicious attachment attacks by allowing system administrators to configure Office 2013 to block Word, Excel, and PowerPoint macros. The capability had previously been introduced in March by Microsoft for its Office 2016 software.