Nymaim Botnet
Phoebe Sibilio
Cyber criminals proliferate this virus by disguising it a regular file or app (e.g., a legitimate app, document, etc.) For example, Nymaim is distributed using the "Job Application" spam email campaign and The Roboto Condensed Font Was Not Found Scam" web scam.
First noticed back in 2013, Nymaim is essentially designed to distribute other viruses, such as ransomware, information stealers, and other exploit kits. The presence of Nymaim might lead to various issues. For example, infiltrated ransomware-type viruses might permanently encrypt/corrupt data and lock the computer screen.
Information-stealing viruses record sensitive data (such as account credentials, banking information, keystrokes, web browsing activity, etc.). Cyber criminals could gain access to your bank, social network, and other personal accounts.
Exploit kits might also perform various actions: some distribute malware, whilst others connect infected computers to botnets or misuse system resources to stealthily perform dubious tasks (e.g., mine cryptocurrency). Therefore, the Nymaim virus should be removed from your computer.
If you suspect its presence, immediately run a full system scan using a reputable anti-virus suite and eliminate any detected threats. Furthermore, immediately change the passwords for all of your accounts.
There are hundreds of viruses that are similar to Nymaim - Hancitor and Emotet are just some examples. Although they are developed by different cyber criminals and their behavior might differ slightly, all pose a direct threat to your privacy and computer safety. Therefore, you should eliminate these threats immediately.
As mentioned above, Nymaim is typically proliferated using a disguise. For example, criminals distribute these viruses using fake updaters/installers (e.g., Adobe Flash Player updaters). These tools are promoted using rogue sites that display pop-ups containing deceptive messages claiming that certain software is outdated or missing.
Users receive emails encouraging them to open attached files (for example, MS Office documents). Once opened, they immediately execute a number of commands that infiltrate malware into the system. In any case, there are two main reasons for these computer infections: lack of knowledge of these threats and careless behavior.
To prevent this situation, be very cautious when browsing the internet and downloading/installing/updating software. Never open files or links received from suspicious/unrecognizable email addresses. Furthermore, download apps from official sources only and never use third party downloaders/installers/updaters.
Keep installed programs and operating systems up-to-date, however, to achieve this, use implemented functions or tools provided by the official developer only. Having a reputable anti-virus/anti-spyware suite installed and running is also paramount, since these tools can detect and eliminate malware before it does any damage.
The key to computer safety is caution. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.
To remove this malware we recommend using Combo Cleaner Antivirus for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button.
Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".
In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".
After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.
These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.
I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.
PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.
Most malware that we see is distributed through spam sent out by botnets. Other malware comes through "drive-by downloads" from compromised or malicious websites. Now one attacker is using legitimate bulk email services to spread the Nymaim Trojan, an alarming shift that could make such attacks harder to detect.
Nymaim is a 2-year-old strain of malware most closely associated with ransomware. We have seen recent attacks spreading it using an established email marketing service provider to avoid blacklists and detection tools. But instead of ransomware, the malware is now being used to distribute banking Trojans.
Although most famously associated with early ransomware, Nymaim is, at its core, a downloader Trojan that can be used to install a variety of malware. Recently, we have been tracking new vectors and payloads for Nymaim, with multiple campaigns utilizing email to send document attachments or URLs leading to documents. When users open one of these documents, the macros download and install Nymaim. Then, in most cases, Nymaim installs the Ursnif banking Trojan on vulnerable PCs.
Not surprisingly, using a well-known email marketing service can improve the effectiveness of the attacks by improving link reputation, keeping senders on whitelists, and bypassing sampling by multiple security vendors who deliberately exclude bulk mailing services.
In other campaigns, Nymaim is being delivered through even more circuitous means. On February 17, for example, we tracked a malicious document attachment campaign in which Microsoft Word documents attached to emails with subjects "February payment" or "Fedex Delivery Notification" used macros to drop Pony onto PCs.
Email is the top vector for delivering Nymaim in these recent campaigns (whether via attached malicious documents or links to malicious URLs). We have identified two other interesting features in these new campaigns:
Nymaim is hardly new. But these campaigns bring some new approaches to the table. Abusing an email marketing service brings a number of benefits to the actors and leaves many recipients potentially more vulnerable to attack. It's possible to blacklist IP addresses associated with the botnets that typically distribute malware via email. But in this case, the campaign uses a known "good" mail distribution vector.
Without more advanced analysis in a sandbox environment, these kinds of attacks are difficult to catch. At the same time, actors are leveraging Nymaim's capabilities as a loader and its flexibility to distribute the latest banking Trojans.
[hxxp://intuit.secureserver17[.]com/invoices/Invoice_897-84579.doc]
[hxxp://secure.secureserver17[.]com/invoices/Invoice_11471.doc]
[hxxp://quickbooks.intuit-invoices[.]com/invoices/qb_invoice_1147630.doc]
dalinumsdeli42[.]com/posts/dli506.exe
www.billpay-center[.]com/invoices/007448322.doc
forget42gibb[.]com/post/506pblpks.exe
fini4kbimm[.]com
forget42gibb[.]com
grotesk14file[.]com
intro12duction1[.]com
finiki45toget[.]com
joreshi50indo[.]com
epay-solution[.]com
billpay-center[.]com
amoretaniintrodano36[.]com
amoretanioontradano37[.]com
amoretanoenntrodano38[.]com
amoretanoentrodano33[.]com
amoretanointrodanio39[.]com
amoretanointrodano31[.]com
amoretanoontrodano34[.]com
amoretanopintrodano40[.]com
amoretanopntrodano35[.]com
amoretanountrodano32[.]com
dalinamsdela41[.]com
dalinamsdele45[.]com
dalinamsdelo43[.]com
dalinamsdelu44[.]com
dalinamsdelu46[.]com
dalinumsdeli42[.]com
secureserver17[.]com