Nymaim, a trojan first detected in 2011, seems to have come back to life, as the number of detections recorded in the first six months of 2016 has already surpassed the numbers seen in the entire past year.

If we are to categorize this trojan, Nymaim is a classic malware dropper, also called malware loader. Nymaim’s only purpose is to infect the system using some sort of method and then downloading other more dangerous and intrusive malware.

While crooks used to download all sort of nasty viruses in the past, Nymaim is mostly known to deliver ransomware.

Nymaim is also half of the GozNym banking trojan

The trojan grabbed headlines again in April this year when a criminal group developed a new banking trojan that merged the source code of the infamous Gozi banking trojan with Nymaim’s infection capabilities to create the virus known as GozNym.

According to security experts from ESET, ever since the start of the year, crooks have yet again turned to this trojan, which has been quietly dying since 2014.

Infections grew month by month, targeting users all over the world, but making most victims in Poland (70 percent of all infections), Germany (18 percent), and the US (9 percent).

Recent Nymaim infections target Brazilians

Most recently, in the last month, ESET detected a vicious phishing campaign delivering Word documents that installed Nymaim when the user activated the document’s macro feature. This campaign was aimed at users living in Brazil alone.

This was also a particular detail since Nymaim usually infected users via drive-by downloads when visiting malicious websites.

These most recent payloads are detected as Nymaim.BA, and a security researcher (@matthewm on VirusTotal) has tied some of its distribution to a series of IPs, which he recommends system administrators to ban, in order to stop Nymaim infections.

35.51.69.111
70.212.173.116
101.186.50.249
142.126.57.60
154.58.222.139
165.203.213.15
206.114.64.228

Nymaim infections in 2015 and 2016

Nymaim infections in 2015 and 2016

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
Recommended article from FiveFilters.org: Most Labour MPs in the UK Are Revolting.

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲