Overview
First documented in 2013 [1], Nymaim was originally identified as both a first-stage downloader and second-stage locking malware. Primarily distributed via the Blackhole exploit kit, most users found out they were infected because of the screen lock that demanded varying ransoms. In 2016, we documented distribution of the Ursnif banking Trojan via email campaigns and the presence of webinjects within Nymaim itself [2]. More recently, Nymaim has evolved into an even more robust downloader that includes a range of information stealing and system profiling capabilities. This incarnation of Nymaim has appeared in both global campaigns as well as attacks targeting North America, Germany, Italy, and Poland. In this respect, Nymaim is following global malware trends, with a focus on persistent, non-destructive infection to collect information long-term and flexibly download additional malware of the threat actor’s choosing.
Despite its long history and increasing incidence of spreading via email, many aspects of Nymaim are not well understood, including its ownership and availability to groups of threat actors. Moreover, the configuration file format outlined in this blog and the config’s interaction with a virtual machine running within the malware itself appears to be unique. While CERT.pl described the configuration encryption algorithms previously [3], recent samples now employ a bytecode language with its own logic that is interpreted by the malware, running in a virtual machine managed by Nymaim. Technical details of the config file and its interaction with the Nymaim interpreter are outlined below.
Analysis
Config parsing
As other researchers have noted for various components of Nymaim [4], the configuration data is stored in an encrypted and, in some cases, aPLib-compressed format.
The configuration data consists of a binary structure composed of multiple config components or chunks. Each data component has a recognizable pattern that is structured in the following format:
struct CONFIG_LINE {
DWORD opcode;
DWORD params_length;
byte params[params_length];
}
Upon further analysis, we found that the configuration is compiled bytecode-like data that runs in a custom virtual machine environment inside Nymaim. The config has its own CODE and DATA sections, stack, local variables, registers, conditional cases, procedures, and API calls.
Additionally, the config parser includes a built-in integrity check of the params data, such that on initialization, the structure outlined above is expanded in memory to four parameters:
struct CONFIG_LINE_PARSED {
DWORD opcode;
DWORD crc;
DWORD params_length;
byte params[params_length];
}
The integrity check uses a checksum algorithm that is widely used in the malware and this is its implementation:
def crc(data, data_len):
delta = 0x9AF598DC
crc = 0
for i in range(0, data_len // 4):
crc += struct.unpack_from("<L", data, i * 4)[0]
crc += data_len
crc += delta
return crc & 0xFFFFFFFF
The first entries from the config contain the compile timestamp, version, and -- if present -- the expiration date. Although the virtual machine skips these entries, they allow us to precisely date each sample from the day it was first distributed to the day on which the campaign ended.
The virtual machine parses the rest of the config file line by line from top to bottom, first reading the code section and then reading the data section at the bottom of the file.
Config execution
As part of the virtual machine, the config interpreter can use its own stack and local variables, along with six general purpose registers. Additionally there is designated space for instruction pointers and flags used by the IF-THEN-GOTO code and API/procedure results.
The config interpreter running on the virtual machine can communicate with other parts of the Nymaim code using a structure holding initial data, which includes:
- IsAdmin flag;
- System version from a OSVERSIONINFOEXW structure;
- SubAuthID;
- Locale obtained by GetLocaleInfoA;
- Pointer to the PEB;
- Event handles;
- Many additional flags;
In the samples we analyzed, the interpreter did not necessarily use all of these parameters. However they are all accessible from the config's code.
The interpreter itself uses a limited number of basic code logic instructions, including flexible variable and register assignments represented in pseudocode below:
// &ADDR:**** is the addressing, line by line of the config code
// SP_00 to SP_** are represented as stack pointers
// R0 to R5 are general purpose registers
// Additionally local variables decompiled as LOC_** can be used
&ADDR:0003 SP_00 = 0xFFFFFFFF; // immediate value to stack pointer assignment
&ADDR:0004 SP_04 = 0x00000000;
&ADDR:0005 SP_08 = 0x00000002;
&ADDR:0006 SP_0C = 0x00000004;
&ADDR:0007 SP_10 = 0x00000008;
&ADDR:0008 SP_14 = 0x0000000C;
&ADDR:0009 SP_18 = 0x00000010;
...
&ADDR:0017 R0 = &CPU; // pointer to the CPU data to stack pointer assignment
&ADDR:0018 R1 = 0x0000003C; // immediate value to register assignment
&ADDR:0019 R2 = 0x00000004;
&ADDR:001A R3 = &SP_04; // stack pointer to register assignment
&ADDR:001B R4 = 0x00000000;
&ADDR:001C R5 = 0x00000004;
Data initialization for the next stage, using labels as delimiters, is shown below:
&ADDR:006D InitData(start=&ADDR:007A, end=&ADDR:0081);
...
&ADDR:0079 LABEL_79:
...
&ADDR:0082 LABEL_82:
TEST and IF-THEN-GOTO instructions for conditional branching:
&ADDR:0021 TEST &SP_34 == &SP_44;
&ADDR:0022 IF True GOTO LABEL_4B;
...
&ADDR:002D IF &R0[R1] == &R3[R4] GOTO LABEL_4B;
Procedure calls using entry point LABEL and RET instruction:
&ADDR:001F CALL PROC_69;
...
&ADDR:0069 PROC_69:
...
&ADDR:006E RET;
API-like functions can call into other Nymaim code for more complicated jobs as outlined below:
- Determine presence of a Environment strings (IsEnvStringSet())
- Determine presence of certain processes running (IsProcessRunning())
- Terminate config code execution (Exit())
- Signaling events created by Nymaim (SignalEvent())
- Sending debug messages to Nymaim (DebugMessage())
- Detecting sandboxing and debugging environment (IsDebugged())
Upon further analysis, we were able to decode the checksums for the following processes:
- updatesrv.exe
- vsserv.exe
- pchooklaunch32.exe
- bdagent.exe
- seccenter.exe
- aswidsagenta.exe
- avastui.exe
- avastsvc.exe
All of these point to executables associated with antivirus applications, suggesting that IsProcessRunning() is used to detect installed AV utilities.
The virtual machine uses IsDebugged() for anti-debugging checks, looking for blacklisted items associated with research environments:
- MAC addresses associated with virtual machine platform vendors VmWare, Dell, PCS Computer Systems GmbH, Microsoft Corporation, Parallels, and Xensource.
- Loaded libraries "dbghelp.dll" and "SbieDll.dll" (parts of Debugging Tools For Windows and Sandboxie).
- User names "currentuser" and "sandbox" along with computer names including "sandbox"
Nymaim does not appear to currently use the DebugMessage() function, but passes the argument to the two occurrences of this API call in plaintext:
- "own inside started" // on stage 1 initialization
- "no known av detected" // self explanatory
Typical decompiled configuration
With this information, we were able to decompile Nymaim's config bytecode to a more human-readable pseudocode script. For reference, a complete implementation of the decompiler that generates the following output is available here [6].
// VM &CPU @ B2564545
// VM &TIME @ 06C742A3
// VM &FLAG @ 5878305F
&ADDR:0000 // compile timestamp: 2018-11-20T16:36:01.263625
&ADDR:0001 // version: 2.1.20.21
&ADDR:0002 // expiration date: 23 November 2018
&ADDR:0003 SP_00 = 0xFFFFFFFF;
&ADDR:0004 SP_04 = 0x00000000;
&ADDR:0005 SP_08 = 0x00000002;
&ADDR:0006 SP_0C = 0x00000004;
&ADDR:0007 SP_10 = 0x00000008;
&ADDR:0008 SP_14 = 0x0000000C;
&ADDR:0009 SP_18 = 0x00000010;
&ADDR:000A SP_1C = &SP_00;
&ADDR:000B SP_20 = &SP_04;
&ADDR:000C SP_24 = &SP_0C;
&ADDR:000D SP_28 = &SP_10;
&ADDR:000E SP_2C = &SP_14;
&ADDR:000F SP_30 = &SP_18;
&ADDR:0010 SP_34 = &FLAG;
&ADDR:0011 SP_38 = 0x00000000;
&ADDR:0012 SP_3C = 0x0DDD766C;
&ADDR:0013 SP_40 = 0x0CD874EC;
&ADDR:0014 SP_44 = &SP_3C;
&ADDR:0015 SP_48 = &SP_40;
&ADDR:0016 InitData(start=&ADDR:0084, end=&ADDR:0091);
&ADDR:0017 R0 = &CPU;
&ADDR:0018 R1 = 0x0000003C;
&ADDR:0019 R2 = 0x00000004;
&ADDR:001A R3 = &SP_04;
&ADDR:001B R4 = 0x00000000;
&ADDR:001C R5 = 0x00000004;
&ADDR:001D IF &R0[R1] == &R3[R4] GOTO LABEL_5F;
&ADDR:001E DebugMessage("own inside started"); // not processed in any way
&ADDR:001F CALL PROC_69;
&ADDR:0020 IsProcessRunning(0x9BC217C0); // Enabled
&ADDR:0021 TEST &SP_34 == &SP_44;
&ADDR:0022 IF True GOTO LABEL_4B;
&ADDR:0023 IsEnvStringSet(0xDD076E3D);
&ADDR:0024 TEST &SP_34 == &SP_44;
&ADDR:0025 IF True GOTO LABEL_4B;
&ADDR:0026 IsDebugged(TODO flags); // 00000000 00000001 0000000F 00000000
&ADDR:0027 R0 = &FLAG;
&ADDR:0028 R1 = 0x00000010;
&ADDR:0029 R2 = 0x00000004;
&ADDR:002A R3 = &SP_04;
&ADDR:002B R4 = 0x00000000;
&ADDR:002C R5 = 0x00000004;
&ADDR:002D IF &R0[R1] == &R3[R4] GOTO LABEL_4B;
&ADDR:002E R0 = &FLAG;
&ADDR:002F R1 = 0x00000004;
&ADDR:0030 R2 = 0x00000004;
&ADDR:0031 R3 = &SP_04;
&ADDR:0032 R4 = 0x00000000;
&ADDR:0033 R5 = 0x00000004;
&ADDR:0034 IF &R0[R1] == &R3[R4] GOTO LABEL_66;
&ADDR:0035 R0 = &FLAG;
&ADDR:0036 R1 = 0x00000008;
&ADDR:0037 R2 = 0x00000004;
&ADDR:0038 R3 = &SP_04;
&ADDR:0039 R4 = 0x00000000;
&ADDR:003A R5 = 0x00000004;
&ADDR:003B IF &R0[R1] == &R3[R4] GOTO LABEL_66;
&ADDR:003C SP_4C = 0xFFFFFFF7;
&ADDR:003D R0 = &FLAG;
&ADDR:003E R1 = 0x0000000C;
&ADDR:003F R2 = 0x00000004;
&ADDR:0040 R3 = &SP_4C;
&ADDR:0041 R4 = 0x00000000;
&ADDR:0042 R5 = 0x00000004;
&ADDR:0043 LOC_00 = &R0[R1] & &R3[R4];
&ADDR:0044 R0 = &LOC_00;
&ADDR:0045 R1 = 0x00000000;
&ADDR:0046 R2 = 0x00000004;
&ADDR:0047 R3 = &SP_04;
&ADDR:0048 R4 = 0x00000000;
&ADDR:0049 R5 = 0x00000004;
&ADDR:004A IF &R0[R1] == &R3[R4] GOTO LABEL_66;
&ADDR:004B LABEL_4B:
&ADDR:004C IsProcessRunning("updatesrv.exe", "vsserv.exe", "pchooklaunch32.exe", "bdagent.exe", "seccenter.exe"); // Enabled
&ADDR:004D TEST &SP_34 == &SP_44;
&ADDR:004E IF True GOTO LABEL_5D;
&ADDR:004F R0 = 0x00000100;
&ADDR:0050 R1 = 0x00000400;
&ADDR:0051 R2 = 0x00000000;
&ADDR:0052 R3 = 0x00000003;
&ADDR:0053 // TODO ID:7DD14382 DATA:b'00000000'
&ADDR:0054 TEST &SP_34 == &SP_44;
&ADDR:0055 IF True GOTO LABEL_5D;
&ADDR:0056 R0 = &FLAG;
&ADDR:0057 R1 = 0x00000004;
&ADDR:0058 R2 = 0x00000004;
&ADDR:0059 R3 = &SP_04;
&ADDR:005A R4 = 0x00000000;
&ADDR:005B R5 = 0x00000004;
&ADDR:005C IF &R0[R1] == &R3[R4] GOTO LABEL_63;
&ADDR:005D LABEL_5D:
&ADDR:005E GOTO LABEL_61;
&ADDR:005F LABEL_5F:
&ADDR:0060 CALL PROC_69;
&ADDR:0061 LABEL_61:
&ADDR:0062 Exit(0); // Exit process
&ADDR:0063 LABEL_63:
&ADDR:0064 SignalEvent(); // pre-process termination
&ADDR:0065 Exit(0); // Exit process
&ADDR:0066 LABEL_66:
&ADDR:0067 SignalEvent(); // pre-process termination
&ADDR:0068 Exit(0); // Exit process
&ADDR:0069 PROC_69:
&ADDR:006A IsProcessRunning("aswidsagenta.exe", "avastui.exe", "avastsvc.exe"); // Enabled
&ADDR:006B TEST &SP_34 == &SP_44;
&ADDR:006C IF True GOTO LABEL_6F;
&ADDR:006D InitData(start=&ADDR:007A, end=&ADDR:0081);
&ADDR:006E RET;
&ADDR:006F LABEL_6F:
&ADDR:0070 DebugMessage("no known av detected"); // not processed in any way
&ADDR:0071 InitData(start=&ADDR:007A, end=&ADDR:0081);
&ADDR:0072 RET;
&ADDR:0073 LABEL_73:
&ADDR:0074 DATA_DFE8715B = [0x00001F40, 0x00000001, 0x00000004, 0x00000001, 0x00001770, 0x00002000, 0x00000000, 0x000000C8, 0x00000064];
&ADDR:0075 DATA_97AC42CB = [0x00000000];
&ADDR:0076 DATA_PAYLOAD_TARGET_ENUMERATOR = [0x00000000, 0x00000000, "*'%ProgramFiles(x86)%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*instal#*;#!#*setup#*;#!#*config#*;#!#*iexplore.exe;#!#*chrome.exe;#!#*opera.exe';$'#!#*windows#*;#!#*adobe#*';!'0;0;-%!rndl_0_0_2_1_3%';$'#*';!'0;0;-%!rndl_0_0_2_1_3%';*'%ProgramW6432%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*install#*;#!#*setup#*;#!#*config#*';$'#!#*windows#*;#!#*adobe#*';!'0;0;-%!rndl_0_0_2_1_3%';$'#*';!'0;0;-%!rndl_0_0_2_1_3%'"];
&ADDR:0077 DATA_D3955141 = [0x00000001, 0x00000000, "%!system32W6432%\rundll32.exe; -%!rndl_0_0_2_1_3% %!rndl_0_0_2_3_8%.dll"];
&ADDR:0078 LABEL_78:
&ADDR:0079 LABEL_79:
&ADDR:007A DATA_DFE8715B = [0x00001F40, 0x00000001, 0x00000004, 0x00000001, 0x00001770, 0x00002000, 0x00000000, 0x000000C8, 0x00000064];
&ADDR:007B DATA_97AC42CB = [0x00000001];
&ADDR:007C DATA_BB98FAB8 = [0x00000400];
&ADDR:007D DATA_3FEF1B94 = [0x00000004];
&ADDR:007E DATA_PAYLOAD_DROPPATH = "%SystemRoot%#*";
&ADDR:007F DATA_PAYLOAD_DROPFILE = "#!#*flashutil32#*;#!#*flashplayerpl#*;#!#*windowslivemail#*";
&ADDR:0080 DATA_PROCLIST_EXCLUDE_EXT = ["iexplore.exe", "firefox.exe", "chrome.exe", "winword.exe", "outlook.exe", "excel.exe", "powerpnt.exe", "iexplore.exe", "firefox.exe", "chrome.exe", "winword.exe", "outlook.exe", "excel.exe", "powerpnt.exe", "acrord32.exe", "java.exe", "javaw.exe", "regsvr32.exe", "wscript.exe", "cscript.exe", "powershell.exe", "mshta.exe", "certutil.exe", "sqlservr.exe", "opera.exe", "msaccess.exe", "sysprep.exe", "setupsqm.exe", "cliconfg.exe", "winsat.exe", "mmc.exe", "oobe.exe", "inetmgr.exe", "taskhost.exe", "inetmgr.exe", "dism.exe", "dismhost.exe", "taskeng.exe", "cmd.exe", "wscript.exe", "cscript.exe", "java.exe", "powershell.exe", "mshta.exe", "winlogon.exe", "services.exe", "svchost.exe", "spoolsv.exe", "explorer.exe", "explorer.exe", "cmd.exe", "rundll32.exe", "msiexec.exe", "mspaint.exe", "notepad.exe", "calc.exe", "taskhost.exe", "dwm.exe", "taskmgr.exe", "msnmsgr.exe", 0xF6FE5321, "dllhost.exe", "runouce.exe", "vds.exe", "mstsc.exe", "mysqld.exe", "onenotem.exe", "dropbox.exe", "conhost.exe", "jusched.exe", "sihost.exe", "splwow64.exe", "msdt.exe", "onedrive.exe", "skype.exe", "solitaire.exe", "steam.exe"];
&ADDR:0081 DATA_PAYLOAD_TARGET_ENUMERATOR = [0x00000000, 0x00000000, "*'%ProgramFiles(x86)%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*instal#*;#!#*setup#*;#!#*config#*;#!#*iexplore.exe;#!#*chrome.exe;#!#*opera.exe';$'#!#*windows#*;#!#*adobe#*';!'0;0;-%!rndl_0_0_2_1_3%';$'#*';!'0;0;-%!rndl_0_0_2_1_3%';*'%ProgramW6432%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*install#*;#!#*setup#*;#!#*config#*';$'#!#*windows#*;#!#*adobe#*';!'0;0;-%!rndl_0_0_2_1_3%';$'#*';!'0;0;-%!rndl_0_0_2_1_3%'"];
&ADDR:0082 LABEL_82:
&ADDR:0083 LABEL_83:
&ADDR:0084 DATA_8568A01D = [0x00000001, 0x00000001];
&ADDR:0085 DATA_14A8D56E = [0x00, 0x02, 0x00, 0x00, 0xD4, 0x30, 0x37, 0xBF, 0x80, 0x4B, 0x8F, 0xE0, 0xE5, 0xCC, 0x27, 0xE7, 0x23, 0xCF, 0x53, 0x37, 0xB1, 0x46, 0xD8, 0x03, 0xCA, 0xEE, 0x29, 0x4B, 0x66, 0x8A, 0x9A, 0xCA, 0x51, 0xA8, 0x95, 0x81, 0x28, 0x93, 0x01, 0xF9, 0x60, 0x7D, 0x9A, 0x6C, 0xB2, 0x93, 0x15, 0x2B, 0x44, 0xC0, 0x6F, 0x6F, 0xB7, 0x1A, 0xC8, 0x12, 0x52, 0x1A, 0xC7, 0x28, 0x0A, 0x46, 0x0D, 0x2E, 0x84, 0x50, 0x9B, 0xFD, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01];
&ADDR:0086 DATA_56B437D3 = ["system", "lsass.exe", "smss.exe", "csrss.exe", "wininit.exe", "services.exe", "lsm.exe", "audiodg.exe", "svchost.exe", "winlogon.exe", "spoolsv.exe", "searchindexer.exe", "msdtc.exe", "searchprotocolhost.exe", "dllhost.exe"];
&ADDR:0087 DATA_DBED7DFB = ["system", "lsass.exe", "smss.exe", "csrss.exe", "wininit.exe", "services.exe", "lsm.exe", "audiodg.exe", "svchost.exe", "winlogon.exe", "spoolsv.exe", "searchindexer.exe", "msdtc.exe", "explorer.exe", "dwm.exe"];
&ADDR:0088 DATA_PROCLIST_EXCLUDE = ["wininit.exe", "csrss.exe", "smss.exe", "avp.exe", "avpui.exe", "avgnt.exe", "avguard.exe", "sched.exe", "aswidsagenta.exe", "avastsvc.exe", "avastui.exe", "ccsvchst.exe", "avgcsrvx.exe", "avgnsx.exe", "avgrsx.exe", "avgtray.exe", 0x6EEA1E2D, "avgwdsvc.exe", "ekrn.exe", "egui.exe", "msmpeng.exe", "msseces.exe", "mpcmdrun.exe", "psimsvc.exe", "apvxdwin.exe", "avengine.exe", "pavfnsvr.exe", "pavprsrv.exe", "pavsrvx86.exe", "psctrls.exe", "psksvc.exe", "fpavserver.exe", 0xBAA21E23, "fpwin.exe", "cmdagent.exe", "cfp.exe", "gdscan.exe", "gdsc.exe", "avktray.exe", "avkservice.exe", "avkproxy.exe", "pctsgui.exe", "pctssvc.exe", "pctsauxs.exe", "update.exe", "updatesrv.exe", "vsserv.exe", "pchooklaunch32.exe", "bdagent.exe", "seccenter.exe", "mrt.exe", "mcupdate.exe", "mcagent.exe", "mcmscsvc.exe", "mcnasvc.exe", "mcproxy.exe", "mcsacore.exe", "mcshell.exe", "mcshield.exe", "mcsysmon.exe", "mpfsrv.exe", "msksrver.exe", "udaterui.exe", "engineserver.exe", "frameworkservice.exe", "engineserver.exe", "frameworkservice.exe", "mctray.exe", "naprdmgr.exe", "shstat.exe", "vstskmgr.exe", "almon.exe", "alsvc.exe", "savadminservice.exe", 0x12FCC4EB, "savservice.exe", "swi_service.exe", 0xBC6D3196, "protoolbarupdate.exe", "sfctlcom.exe", "tmbmsrv.exe", "tmpfw.exe", "tmproxy.exe", "tscfplatformcomsvr.exe", 0xAEF84E17, "ufseagnt.exe", 0x3DC44746, 0x13F2ED0D, 0x4B4EA20C, "umxagent.exe", "umxcfg.exe", "umxpol.exe", "caav.exe", "casc.exe", "cavrid.exe", "ccprovsp.exe", "vetmsg.exe", "vmwaretray.exe", "vmwareuser.exe", 0xBD157242, "vmtoolsd.exe", "wrsa.exe"];
&ADDR:0089 DATA_5DD00BF4 = ["winlogon.exe"];
&ADDR:008A DATA_87045172 = ["explorer.exe", "dwm.exe", "taskhost.exe", "conhost.exe"];
&ADDR:008B DATA_0B7EEE53 = [0x00000000];
&ADDR:008C DATA_FFF28C72 = "zepter.com;carfax.com;";
&ADDR:008D DATA_GOOGLE_DNS = [0x00000003, timeout_write=8000, timeout_read=8000, 0x00000001, 0x00000002, "8.8.8.8:53;8.8.4.4:53"];
&ADDR:008E DATA_992CC894 = [0x00000000, 0x00000001, 0x00000001, 0x00000002, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, "gx3Gd93kdXdjd]dGdg573"];
&ADDR:008F DATA_8DB1E244 = [0x00000001, 0x18482642, 0x78643587, 0x87568289, 0x00000010];
&ADDR:0090 DATA_C9393B40 = "~[duewosgems.com];fiosbewos.com;";
&ADDR:0091 DATA_F50DF89A = [0x00000019, 0x000493E0, 0x00000001, 0x00000001, "~[duewosgems.com]/pkbn74is/index.php;fiosbewos.com/pkbn74is/index.php;"];
&ADDR:0092 LABEL_92:
&ADDR:0093 END;
Conclusion
Nymaim is one of a number of downloaders appearing regularly in the wild, reflecting the trend of installing persistent malware on victim devices. Although Nymaim has a long history as a downloader and earlier incarnations as ransomware and a desktop locker, little is known about its ownership or availability to other threat actors. We were, however, able to decode the unique config, providing additional insight for defenders and potential victims of increasingly frequent Nymaim campaigns.
References
[1] https://www.welivesecurity.com/2013/08/26/nymaim-obfuscation-chronicles/
[2] https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0
[3] https://www.welivesecurity.com/2013/10/23/nymaim-browsing-for-trouble/
[6] https://github.com/EmergingThreats/threatresearch/blob/master/Nymaim/config_decompiler.py
Indicators of Compromise (IOCs)
|
IOC |
IOC Type |
Description |
|
76b855f4822c0b26e098d7395723b31ad73c1606aebdb972380ef6c9f0bb4936 |
SHA256 |
Nymaim sample (2019) |
|
8cb27fca6cf68888126a82c304083ebd78bba2b9f6fb241d2a177a3a80f12e8a |
SHA256 |
Nymaim sample (2019) |
|
0f115ff9d7ecbe2b4872a18c14e97d6071a61435690729c9aa741cecc8982383 |
SHA256 |
Nymaim sample (2019) |
|
7541c32d82b17e9d3a993f6721a1b84221dfbee6cbe7f060413a118c48ae64ee |
SHA256 |
Nymaim sample (2019) |
|
43c19be78773a14196abb4ecb6436b54729373eacf84da7a9a2c3592ad960cae |
SHA256 |
Nymaim sample (2019) |