Most malware that we see is distributed through spam sent out by botnets. Other malware comes through "drive-by downloads" from compromised or malicious websites. Now one attacker is using legitimate bulk email services to spread the Nymaim Trojan, an alarming shift that could make such attacks harder to detect.
Nymaim is a 2-year-old strain of malware most closely associated with ransomware. We have seen recent attacks spreading it using an established email marketing service provider to avoid blacklists and detection tools. But instead of ransomware, the malware is now being used to distribute banking Trojans.
Originally observed in 2013, the Nymaim Trojan was installing ransomware before file-encrypting malware was making headlines and extorting money from people, hospitals, and even the police. At that time, Nymaim was largely distributed via the Black Hole Exploit Kit (BHEK) as a "drive-by download.” Later, the actors behind the distribution of Nymaim began manipulating search results so that sites compromised with BHEK were more likely to get clicks. By 2014, researchers found machines infected with Nymaim that also contained traces of other malware including Vawtrak, Miuref, Pony, and Ursnif.
Although most famously associated with early ransomware, Nymaim is, at its core, a downloader Trojan that can be used to install a variety of malware. Recently, we have been tracking new vectors and payloads for Nymaim, with multiple campaigns utilizing email to send document attachments or URLs leading to documents. When users open one of these documents, the macros download and install Nymaim. Then, in most cases, Nymaim installs the Ursnif banking Trojan on vulnerable PCs.
The emails include links from legitimate domains used by the service provider but redirect users to malicious macro-embedded documents to deliver Nymaim. It is unclear whether the threat actors are using a compromised account on the email marketing service or signed up for a free trial. In either case, the trend marks a departure from their usual reliance on botnets—and could make them harder to detect.
Figure 1: Lure leveraging email marketing service
Figure 2: Malicious document downloaded from link shown in Figure 1
Not surprisingly, using a well-known email marketing service can improve the effectiveness of the attacks by improving link reputation, keeping senders on whitelists, and bypassing sampling by multiple security vendors who deliberately exclude bulk mailing services.
In other campaigns, Nymaim is being delivered through even more circuitous means. On February 17, for example, we tracked a malicious document attachment campaign in which Microsoft Word documents attached to emails with subjects "February payment" or "Fedex Delivery Notification" used macros to drop Pony onto PCs.
Pony is a Trojan with credential-stealing capabilities. In this case it is used to download Nymaim, which in turn may then download other malware such as Ursnif.
Email is the top vector for delivering Nymaim in these recent campaigns (whether via attached malicious documents or links to malicious URLs). We have identified two other interesting features in these new campaigns:
- Nymaim still appears to be using some of the same web injects (hence targeting the same organizations) as it did in campaigns from 2013 and 2014, even while actors are employing other means (like VBA macros) to deliver the malware.
- Nymaim is heavily obfuscating both its own functions and that of its payload (at least in the case of Ursnif) in memory. This move makes analyzing and reverse-engineering it harder.
In Figure 3, Nymaim is monitoring and replacing content of a banking website while the user is browsing it. This screenshot shows traffic generated by the malware to its injection control IP address 31.184.234[.]21. The malware reports that the user is visiting a banking site. It then receives instructions on how to modify and replace content to initiate fraud on the user’s account.
Figure 3: Nymaim web injection
Nymaim is hardly new. But these campaigns bring some new approaches to the table. Abusing an email marketing service brings a number of benefits to the actors and leaves many recipients potentially more vulnerable to attack. It's possible to blacklist IP addresses associated with the botnets that typically distribute malware via email. But in this case, the campaign uses a known "good" mail distribution vector.
Without more advanced analysis in a sandbox environment, these kinds of attacks are difficult to catch. At the same time, actors are leveraging Nymaim's capabilities as a loader and its flexibility to distribute the latest banking Trojans.
In other words, what is old is new again, and Nymaim has been revitalized to meet current demands from threat actors.
Indicators of Compromise
Sample hashes (Documents that download Nymaim):
Distribution domains (domains hosting documents that download Nymaim):
Distribution domains (domains hosting Nymaim payload):
Nymaim Sample SHA256 Hashes: