Security

Nymaim malware got a major 'upgrade', says Verint

It's nearly 2017, and Word macros are STILL spreading malware

By Richard Chirgwin

5 SHARE

The miscreants behind the Nymaim malware dropper have updated their code to include better obfuscation and blacklisting against security software.

Analytics outfit Verint, which discovered the latest version and offers its analysis here, says the new code base targets phishing rather than the drive-by-download approach favoured by the original version of the malware.

Nymaim has been around since 2013, but has gone through few iterations to try and stay ahead of threat researchers. Verint asserts that attacks are rising, up 63 per cent compared to last year.

They write that the variant has “new delivery mechanisms, obfuscation methods, PowerShell usage and even an interesting form of ‘anti-security solution/analysis’ blacklisting”.

The blacklist check happens pretty soon after the payload launches: it uses a Maxmind query to learn how the victim machine is connected to the Internet, and checks the query results for names of common security solutions (Fortinet, Cisco, Trend Micro and the like).

If it finds a match against the blacklist string, the Nymaim payload stops without trying to download the next stage payload.

The sample Verint's researchers got their hands on arrived as a macro in a compromised Word document. ®

Sign up to our NewsletterGet IT in your inbox daily

5 Comments

More from The Register

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

US-CERT warns of more North Korean malware

'Typeframe' springs from the same den as 'Hidden Cobra'

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

DOJ convicts second bloke for helping malware go undetected

Scan scam? Scram

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Password-stealing backdoor lobbed at Windows boxes

Medic! Orangeworm malware targets hospitals worldwide

Hacking campaign goes after care providers and equipment

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole

Brown pants moment for BlueJeans: Dozens of AV tools scream its vid chat code is malware

How it all happened (clue: unsigned library loaded)