Infections with Nymaim Trojan Found Surged

Nymaim, also known as malware loader, is classic dropper of malware. Only purpose of Nymaim is to infect system by using some kind of technique, and then download much more dangerous as well as invasive malware. While criminals download all type of viruses in past, Nymaim is generally popular for delivering ransomware.

ESET reveals that Nymaim has caused over 2.8 million infections. These infections are by and large found in Poland (54% of the entire Nymaim detections of this year), Germany (16%) and in US (12%). Infosecurity-magazine.com posted on July 12th, 2016, stating that Nymaim has now move towards South America, and attacking Brazilian financial institutions.

The post said that the attacks in Brazil seemed to target victims just after Nymaim was presented in new package called Nymaim.BA, and when very only some antivirus engines could detect both downloader as well as Nymaim.BA payload.

Researchers said that the latest malware version is distributed through spearphishing campaigns by using emails containing malicious macros or Microsoft Word, unlike 2013 version that used the drive-by-download attacks distributed through compromised websites.

"Tricks" of social engineering are used by the macros in trying to work around the default security settings of Microsoft Word, which will prevent the running of malicious documents.

ESET identified a malicious phishing campaign that is delivering Word docs, which installed Nymaim as soon as the user activates the macro feature of the document. This campaign was meant for users only living in Brazil.

Researchers claimed that the ploys possibly will work fine to convince English versions users of Microsoft Word for enabling macros; however they are less convincing when the document got opened in any other language version of Word.

The latest payloads are identified as Nymaim.BA, and a few of the distribution are tied to IPs series by one of the security researcher, which he recommended the system administrators to put a ban in trying to stop the Nymaim infections.

Nymaim was active in various other ways also. A hybrid "franken-trojan" version of Gozi and Nymaim was discovered in April, which was targeting North American financial institutions, and also provides the attacker with remote control over compromised computer rather than encrypting files, or locking out computer in lieu of money.

» SPAMfighter News - 7/18/2016