Security

Nymaim malware got a major 'upgrade', says Verint

It's nearly 2017, and Word macros are STILL spreading malware

By Richard Chirgwin

5 SHARE

The miscreants behind the Nymaim malware dropper have updated their code to include better obfuscation and blacklisting against security software.

Analytics outfit Verint, which discovered the latest version and offers its analysis here, says the new code base targets phishing rather than the drive-by-download approach favoured by the original version of the malware.

Nymaim has been around since 2013, but has gone through few iterations to try and stay ahead of threat researchers. Verint asserts that attacks are rising, up 63 per cent compared to last year.

They write that the variant has “new delivery mechanisms, obfuscation methods, PowerShell usage and even an interesting form of ‘anti-security solution/analysis’ blacklisting”.

The blacklist check happens pretty soon after the payload launches: it uses a Maxmind query to learn how the victim machine is connected to the Internet, and checks the query results for names of common security solutions (Fortinet, Cisco, Trend Micro and the like).

If it finds a match against the blacklist string, the Nymaim payload stops without trying to download the next stage payload.

The sample Verint's researchers got their hands on arrived as a macro in a compromised Word document. ®

Sign up to our NewsletterGet IT in your inbox daily

5 Comments

More from The Register

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

Russia to Apple: Kill Telegram crypto-chat – or the App Store gets it

We know you’re busy, Mr Cook, but please reply before we become … unpleasant

In World Cup Russia, our Wi-Fi networks will log on to you!

Researchers warn of shady hotspots in host cities

Russia appears to be 'live testing' cyber attacks – Former UK spy boss Robert Hannigan

InfoSec Europe Warns that nation state hacking threatens corporate networks

Fancy Bear still Putin out new modules for VPNFilter malware

Talos turns up obfuscation, lateral attacks, and proxies

Soyuz later! Russia may exit satellite launch biz

Is it worth competing with SpaceX prices?

Trump wants to work with Russia on infosec. Security experts: lol no

Thanks for Putin that out there

UK names Russia as source of NotPetya, USA follows suit

Updated 'Almost certain' assessment enough for official blast from Foreign Office

FBI agents take aim at VPNFilter botnet, point finger at Russia, yell 'national security threat'

Feds warn admins malware is rather tough to destroy

Google, AWS IPs blocked by Russia in Telegram crackdown

Two million addresses down, 4.2 billion to go - oh, plus the IPv6 address space