In recent weeks, its malware researcher team ESET in the Montreal lab deals with the examination of the acquaintance Nymaim, one Trojan downloader with ransomware features. The malware is spread through Darkleech, a malware that compromises web servers and leads users to the well-known Black Hole exploit kit. Darkleech has already infected many popular websites, causing disruption to users browsing their favorite sites. During the investigation, ESET analysts managed to collect many different lockscreen designs from around the world – Nymaim has designs tailored specifically for European and North American countries. At the same time, her research ESET for the Trojan downloader confirmed the existence of infections and demonstrated a new spread vector, the Black Hat SEO, which confuses search engines.
Adding extra data to recent malware analysis for increased action Filecoder, which concerned the ransomware Trojans encrypting user files and trying to retrieve ransom from the victims in exchange for a decryption program, the ESET has conducted extensive research on the ransomware. It Trojan downloader, named Win32 / Nymaim, is related to a long-term expedition campaign of the DarkLeech / Black Hole exploit kit (BHEK), known as the home campaign. According to the latest statistics from the independent Kafeine security research firm on BHEK, 2,8 has seen millions of infections since the beginning of the campaign.
"According to ESET LiveGrid® telemetry data, 2013's increased detection of ransomware Trojans has been observed since July and Nymaim is still active, and Win32 / Nymaim infringes computers in two steps using two different executable files. The first executable file (called "Win32 / Nymaim First Stage") simply downloads and executes the second file (called "Win32 / Nymaim Second Stage"). The second stage of Win32 / Nymaim, which first appeared in 2013 in September, can also download other malware or lock the computer, "notes Jean-Ian Boutin, ESET's Malware Researcher.
ESET detects both stages as Win32/Nymaim, as they contain a lot of common code, including the obfuscation techniques described in the first related blog post Nymaim – Obfuscation Chronicles, posted on WeLiveSecurity.com in August 2013. ESET can protect users from this threat with the new 7th generation of its leading ESET NOD32® Antivirus and ESET Smart Security® solutions. In particular, users are now better protected against ransomware Trojans, thanks to the Advanced Memory Scanner. This particular function works after execution, aiming to detect malware that has not been detected by others technologies. Also, its contribution lies in protection mainly from malware that actively tries to evade detection by using various cloaking techniques.
“When we first discovered Win32/Nymaim, we only knew of one carrier contaminations: the drive-by downloads using BHEK. We now know that there is at least one more way to spread this threat to unsuspecting internet users. Analyzing some of the websites that drive these malicious downloads, we came to the conclusion that Black Hat SEO is used to show them as high as possible in search results when users search for popular keywords,” adds Boutin.
The ESET team has been able to collect lockscreen projects from the following countries: Austria, Canada, France, Germany, Ireland, Mexico, the Netherlands, Norway, Romania, Spain, United Kingdom and USA. However, this list is definitely not the final one.
For most of the countries surveyed, the ransom is about 150 US dollars. The highest ransom price was requested by US residents (300 dollars), followed by Norway, the United Kingdom and Mexico, while in Romania the infected user was asked to pay only about 100 Euros. The main carrier, BHEK, is no longer functioning as its creator has been arrested. Therefore, the future of Win32 / Nymaim is undoubtedly of interest and, unavoidably, due to the complexity of this malware, we expect to see variations of it soon.
Those interested can visit the blog post Nymaim: Browsing for Trouble to find more information on Win32/Nymaim research and the new infection vector, a study of different lockscreen designs from around the world, ransomware rankings as well as a full technical analysis of protocolof communication. More information on how a system is infected and the myriad obfuscation techniques used is available in the blog post Nymaim – Obfuscation Chronicles on WeLiveSecurity.com – ESET's new platform for the latest security intelligence, cyber threat analysis and helpful tips.
