Over the past month, the ProtectWise threat team has observed a multitude of strong malicious spam campaigns delivering a variety of Nymaim variants. Nymaim has been active and continuing to evolve for multiple years. It has grown up to primarily serve as a downloader that delivers various types of separate malware. In agreement with fellow researchers in the industry who have shared their findings on Nymaim, we have been observing similar tactics for delivery, such as emails with links or attachments with links in the body.
.doc Office File Campaign
The most recent, and strongest, campaigns we've followed are primarily delivering .doc office files with malicious macros. The phishing campaigns continue to fluctuate on the theme, but they tend to focus on government or bank notifications/warnings to entice the recipient into opening and enabling macro content.
Once the macros are enabled, the host then downloads Nymaim. Some malware filenames have been following patterns of Microsoft Office-type [dot] exe. For example, doc.exe, excel.exe and word.exe.
Below is the entire attack progression of the event, from email delivery to outbound beacon attempts.
This attack progression is displayed in the Killbox, within the ProtectWise Visualizer.
As you can see from the timeline in this example, within about fifteen seconds the user received the malicious email, opened an attachment and enabled content (the macro), which then downloaded Nymaim.
The next screenshot shows a GET request for doc.exe, which is the Nymaim binary.
Once the malware was downloaded, it began reaching out to various destinations attempting to successfully check-in with its owner. Below are two different beacon patterns which have been the most dominate over the previous weeks.
Lastly, a simple OK response is received if a beacon were to be successful.
In effort to reduce the likelihood of such attacks becoming successful, there are a couple points to focus on. First, become an advocate for strong user training around the common malicious tactics. The sense of urgency and personal concern is to entice the user into opening anything they receive - and it works. Secondly, as you can guess from this post, is the need for network monitoring capabilities. The correlation of file behavioral analysis, email monitoring, and general traffic signatures worked great for responding to this event.
Recommended Readings and Special Thank You
- Brandon Baxter - @CyberScimitar
- Matthew Mesa - @mesa_matt