
Win32 / Nymaim - another infection vector
Malicious software Win32 / TrojanDownloader.Nymaim is a Trojan downloader that also contains ransomware features and can block a user's computer for ransom. We already wrote about it before and noted that to spread this threat, the attackers used the compromise of Linux-based web servers with the subsequent delivery of malicious code to users. Installing Nymaim on users' computers was carried out using a set of Blackhole exploits, the author of which was recently arrested by law enforcement agencies. One of the latest research by independent cafeffine kafeineBased on an analysis of one of the control panels of this set of exploits, it shows that attackers were able to infect nearly 3 million users since the start of Operation The Home Campaign .

Our previous analysis of Nymaim was devoted to the study of various methods of obfuscation of its code, which attackers used in it to complicate the analysis. In this article we will dwell in more detail on the consideration of a new infection vector and a detailed analysis of the protocol of interaction with C&C.
Malicious code Win32 / Nymaim compromises a user's computer using two different executable files. The first acts as a loader and downloads the second file from the server, and then executes it. This second module can download other malware to the user's computer or simply block it for ransom. ESET antivirus products detect both files as Win32 / Nymaim because they contain a lot of common code.
When we first discovered Nymaim, it was clear that it uses only one infection vector: covert installation of code through a set of Blackhole exploits (drive-by). Now it became clear that the attackers used another way to deliver this threat to users.
Since the end of September, a large number of detections of this malicious program were recorded among files downloaded via the Internet using a web browser. Looking through the file download logs in such cases, we found that the addresses from which the user came to download these files (referrer) belonged to Google. This indicates that he was performing search queries. Our analysis of some of the web pages that triggered the download of malicious code showed that the attackers used “Black Hat SEO” to promote links to malicious content.
Attackers create special web pages called doorways, they are used for indexing by search engine robots. The doorways we studied are trying to raise their ranking for search engines by spoofing or imitating popular web pages. As soon as the user clicks on one of the links in the query results, he initiates the download of the archive, whose name corresponds to the text in the search query. In fact, the doorway page simply redirects the user to another site on which this archive is located.

Fig. A Fiddler session that shows the web page request referral chain.
As you can see in the screenshot above, when the user clicks on the search query link, his browser is redirected to a special web page, from which it is redirected to the archive with the contents. Such redirection operations are invisible to the user, who eventually sees a blank web page and a downloadable archive. This archive contains an executable file that, after launch, installs malicious code into the system. The name of the archive is closely connected with the text of the search query in order to arouse the user more confidence in him. For example, the same archive will be loaded with different names depending on the text of the search query. The following are the possible names for one archive with malicious code that we managed to obtain:
Note that all these names belong to the same file, with many names resembling pirated content.
We observed several families of malware that spread using this infrastructure. Among them are fake antiviruses (Fake AV), which are detected by ESET as Win32 / AdWare.SecurityProtection.A , as well as Win32 / Sirefef (ZeroAccess) and Win32 / Nymaim already described.
In the course of our study, several different lock screen covers for different countries were collected. Win32 / Nymaim uses various covers for countries in Europe and North America. The following list of countries for which we were able to obtain covers is not exhaustive, since we did not investigate all cases.
An interesting fact is that the repurchase price is different for different countries. The following chart shows prices for different countries in US dollars.

For most of the countries surveyed, the buyback price is around $ 150. However, for residents of the United States, this figure is much larger and amounts to $ 300.
When the first part of Win32 / Nymaim infects a computer, it tries to get a list of proxy addresses using IP addresses that are hardwired into the body of the malicious program itself. Through the proxy servers, the second part of Win32 / Nymaim is loaded (i.e., another dropper, which is responsible for the second stage of the threat), as well as the cover of the desktop blocker and other malicious code. The addresses of these servers change quite often and, apparently, are used to hide C&C addresses. In case none of the proxies is available, Nymaim uses a URL that is hard-coded into its code.
The network interaction of malicious code with the server is encrypted using salted RC4 (that is, RC4 with the addition of special bytes to the key to obfuscate the analysis). The following screenshot shows the format of the encrypted TCP packet.

The length of the “salt” data is obtained by applying a 0xF mask to the first byte of the encrypted message. This data is then decrypted by adding “salt” bytes to the next static RC4 key, “* & ^ V8trcv67d [wf9798687RY”.
After decryption, the data has the following structure.

As noted earlier, Win32 / Nymaim locks the user's OS or loads malware there and installs it later. The second level of encryption is used in the latter case, which is associated with the download of malware. Using RSA, the header is encrypted, while the data is encrypted through its own algorithm. The encryption scheme used is shown below in the screenshot.


Austria

Canada

France

Germany

Our previous analysis of Nymaim was devoted to the study of various methods of obfuscation of its code, which attackers used in it to complicate the analysis. In this article we will dwell in more detail on the consideration of a new infection vector and a detailed analysis of the protocol of interaction with C&C.
Malicious code Win32 / Nymaim compromises a user's computer using two different executable files. The first acts as a loader and downloads the second file from the server, and then executes it. This second module can download other malware to the user's computer or simply block it for ransom. ESET antivirus products detect both files as Win32 / Nymaim because they contain a lot of common code.
When we first discovered Nymaim, it was clear that it uses only one infection vector: covert installation of code through a set of Blackhole exploits (drive-by). Now it became clear that the attackers used another way to deliver this threat to users.
Since the end of September, a large number of detections of this malicious program were recorded among files downloaded via the Internet using a web browser. Looking through the file download logs in such cases, we found that the addresses from which the user came to download these files (referrer) belonged to Google. This indicates that he was performing search queries. Our analysis of some of the web pages that triggered the download of malicious code showed that the attackers used “Black Hat SEO” to promote links to malicious content.
Attackers create special web pages called doorways, they are used for indexing by search engine robots. The doorways we studied are trying to raise their ranking for search engines by spoofing or imitating popular web pages. As soon as the user clicks on one of the links in the query results, he initiates the download of the archive, whose name corresponds to the text in the search query. In fact, the doorway page simply redirects the user to another site on which this archive is located.

Fig. A Fiddler session that shows the web page request referral chain.
As you can see in the screenshot above, when the user clicks on the search query link, his browser is redirected to a special web page, from which it is redirected to the archive with the contents. Such redirection operations are invisible to the user, who eventually sees a blank web page and a downloadable archive. This archive contains an executable file that, after launch, installs malicious code into the system. The name of the archive is closely connected with the text of the search query in order to arouse the user more confidence in him. For example, the same archive will be loaded with different names depending on the text of the search query. The following are the possible names for one archive with malicious code that we managed to obtain:
ieee-papers-on-soft-computing-pdf.exe
investments-9th-edition-2011-pdf.exe
video-studio-x4.exe
advance-web-technology-pdf.exe
new-headway-beginner-3rd-edition. exe
lourdes-munch-galindo-fundamentos-de-administraci-n-pdf.exe
numerical-analysis-by-richard-burden-and-douglas-faires-pdf.exe
speakout-pre-intermediate-wb-pdf.exe
nfs- shift-wvga-apk.exe barbie
-12-dancing-princesses-soundtrack.exe
donkey-kong-country-3-rom-portugues.exe
descargar-libro-english-unlimited-pre-intermediate-pdf.exe
Note that all these names belong to the same file, with many names resembling pirated content.
We observed several families of malware that spread using this infrastructure. Among them are fake antiviruses (Fake AV), which are detected by ESET as Win32 / AdWare.SecurityProtection.A , as well as Win32 / Sirefef (ZeroAccess) and Win32 / Nymaim already described.
In the course of our study, several different lock screen covers for different countries were collected. Win32 / Nymaim uses various covers for countries in Europe and North America. The following list of countries for which we were able to obtain covers is not exhaustive, since we did not investigate all cases.
- Austria
- Canada
- France
- Germany
- Ireland
- Mexico
- Holland
- Norway
- Romania
- Spain
- Great Britain
- USA
An interesting fact is that the repurchase price is different for different countries. The following chart shows prices for different countries in US dollars.

For most of the countries surveyed, the buyback price is around $ 150. However, for residents of the United States, this figure is much larger and amounts to $ 300.
When the first part of Win32 / Nymaim infects a computer, it tries to get a list of proxy addresses using IP addresses that are hardwired into the body of the malicious program itself. Through the proxy servers, the second part of Win32 / Nymaim is loaded (i.e., another dropper, which is responsible for the second stage of the threat), as well as the cover of the desktop blocker and other malicious code. The addresses of these servers change quite often and, apparently, are used to hide C&C addresses. In case none of the proxies is available, Nymaim uses a URL that is hard-coded into its code.
The network interaction of malicious code with the server is encrypted using salted RC4 (that is, RC4 with the addition of special bytes to the key to obfuscate the analysis). The following screenshot shows the format of the encrypted TCP packet.

The length of the “salt” data is obtained by applying a 0xF mask to the first byte of the encrypted message. This data is then decrypted by adding “salt” bytes to the next static RC4 key, “* & ^ V8trcv67d [wf9798687RY”.
After decryption, the data has the following structure.

As noted earlier, Win32 / Nymaim locks the user's OS or loads malware there and installs it later. The second level of encryption is used in the latter case, which is associated with the download of malware. Using RSA, the header is encrypted, while the data is encrypted through its own algorithm. The encryption scheme used is shown below in the screenshot.

- RSA is used to decrypt the first 128 bytes (the key is the same for all samples that we saw).
- Checking the integrity of the header and body part with data.
- Check the integrity of the remaining piece of data.
- Decryption of data using two keys obtained from the header. Below in the screenshot it is shown more clearly.
- Verifying the integrity of decrypted data.
- Decrypted data is decompressed using aPLib.

Austria

Canada

France

Germany