It’s nearly 2017, and Word macros are STILL spreading malware
The miscreants behind the Nymaim malware dropper have updated their code to include better obfuscation and blacklisting against security software.
Analytics outfit Verint, which discovered the latest version and offers its analysis here, says the new code base targets phishing rather than the drive-by-download approach favoured by the original version of the malware.
Nymaim has been around since 2013, but has gone through few iterations to try and stay ahead of threat researchers.
Verint asserts that attacks are rising, up 63 per cent compared to last year.
They write that the variant has “new delivery mechanisms, obfuscation methods, PowerShell usage and even an interesting form of ‘anti-security solution/analysis’ blacklisting”.
The blacklist check happens pretty soon after the payload launches: it uses a Maxmind query to learn how the victim machine is connected to the Internet, and checks the query results for names of common security solutions (Fortinet, Cisco, Trend Micro and the like).
If it finds a match against the blacklist string, the Nymaim payload stops without trying to download the next stage payload.
The sample Verint’s researchers got their hands on arrived as a macro in a compromised Word document. ®