Brazilians hit hard by recent wave of Nymaim malware

Jul 12, 2016 21:30 GMT  ·  By

Nymaim, a trojan first detected in 2011, seems to have come back to life, as the number of detections recorded in the first six months of 2016 has already surpassed the figures seen in the entire past year.

If we are to categorize this trojan, Nymaim is a classic malware dropper, also called malware loader. Nymaim's only purpose is to infect the system using some sort of method and then downloading other more dangerous and intrusive malware.

While crooks used to download all sorts of nasty viruses in the past, Nymaim is mostly known to deliver ransomware.

Nymaim also makes up half of the GozNym banking trojan

The trojan grabbed headlines again in April this year, when a criminal group developed a new banking trojan that merged the source code of the infamous Gozi banking trojan with Nymaim's infection capabilities to create the virus known as GozNym.

According to security experts from ESET, ever since the start of the year, crooks have yet again turned to this trojan, which has been quietly dying since 2014.

Infections grew month by month, targeting users all over the world, but making most victims in Poland (70 percent of all infections), Germany (18 percent), and the US (9 percent).

Recent Nymaim infections target Brazilians

Most recently, more exactly last month, ESET detected a vicious phishing campaign delivering Word documents that installed Nymaim when the user activated the document's macro feature. This campaign was aimed at users living in Brazil alone.

This was also a particular detail since Nymaim usually infected users via drive-by downloads when visiting malicious websites.

These most recent payloads are detected as Nymaim.BA, and a security researcher (@matthewm on VirusTotal) has tied some of its distribution to a series of IPs, which he recommends system administrators to ban, in order to stop Nymaim infections.

35.51.69.111
70.212.173.116
101.186.50.249
142.126.57.60
154.58.222.139
165.203.213.15
206.114.64.228
Nymaim infections in 2015 and 2016
Nymaim infections in 2015 and 2016

Photo Gallery (2 Images)

Countries most affected by Nymaim infections in 2016
Nymaim infections in 2015 and 2016
Open gallery