ESET Detection Technology Protects Users’ Browsing Against Ransomware TrojansFor the last several weeks, team at the ESET malware research lab in Montreal have been investigating the infamous Nymaim, a Trojan downloader with ransomware features. The malware is distributed through Darkleech, a malware that compromises web servers and can redirect users to the infamous Black Hole exploit kit. Darkleech has infected numerous high profile websites, creating troubles for users while browsing their favorite websites. Through the course of the research, our analysts were able to collect several different lockscreen designs throughout the world - Nymaim has customized designs for countries in Europe and North America. In addition, ESET investigation into the Trojan downloader confirmed infections and with new infection vector – Black Hat SEO (misusing search engines) - in spreading the malware.
Following up on the latest malware story on the increased Filecoder activity, ransomware Trojans that encrypt user files and try to extort a ransom from the victim in exchange for a decryptor utility, ESET has conducted further research into ransomware. The Trojan downloader dubbed Win32/Nymaim is associated with a long–running DarkLeech/Black Hole exploit kit (BHEK) campaign, known as the home campaign. Based on BHEK panel’s latest statistics uncovered by independent security researcher Kafeine, there have been 2.8 million infections since the beginning of this campaign.
“According to ESET LiveGrid® telemetry, since July 2013 there is a growing detection of ransomware Trojans and Nymaim is still active as well Win32/Nymaim compromises a computer in two steps, using two different executables. The first executable (referred to as“Win32/Nymaim first stage”) only downloads and runs the second executable (referred to as“Win32/Nymaim second stage”). Win32/Nymaim second stage, started to be seen since September 2013, can download additional malware or lock the computer,”
says Jean-Ian Boutin, ESET Malware Researcher.
ESET detects both stages as Win32/Nymaim because they contain a lot of common code, including the obfuscation techniques described in Nymaim – Obfuscation Chronicles, the first WeLiveSecurity.com blog post on this topic from August 2013. ESET has the capability to protect users against this type of threat with the new 7th generation of its flagship products ESET NOD32® Antivirus and ESET Smart Security®. Especially thanks to Advanced Memory Scanner users are more secure against ransomware Trojans. This security feature steps in as a post-execution method, aiming to detect the outstanding malware sets that other technologies haven’t spotted. The Scanner helps to protect against malware that actively tries to evade detection by employing obfuscation techniques.
“When we first discovered Win32/Nymaim, we were aware of only one infection vector: drive-by downloads using BHEK. We now know that there is at least one other way this threat is delivered to unsuspecting internet users. Our analysis of some of the webpages that initiate these malicious downloads reveals that Black Hat SEO is used to make them appear as high as possible in the search results when people search for popular keywords,” adds Boutin.
ESET team was able to obtain lockscreen designs from the following countries: Austria, Canada, France, Germany, Ireland, Mexico, Netherlands, Norway, Romania, Spain, United Kingdom and the United States. However this list is certainly not final.
For most of the countries examined, the ransom price has been around 150 USD. United States residents were asked to pay the highest price at 300 USD, followed by Norway, UK and Mexico, while in Romania the infected user could have paid only around 100 Euros. The main infection vector, BHEK, is no longer operational due to its author’s reported arrest. Therefore, the future of Win32/Nymaim and its distribution will no doubt be interesting and it appears inevitable that due to the complexity of this malware, we might see its variations again in the near future.
More information on the investigation of Win32/Nymaim revealing the new infection vector, a study of the different international lockscreen designs, and ransom prices as well as a complete technical analysis of its communication protocol is available in Nymaim: Browsing for Trouble blog post. More details on how a system gets infected and the numerous flow obfuscation techniques it uses can be retrieved via Nymaim – Obfuscation Chronicles blog post on WeLiveSecurity.com - ESET’s news platform with the latest information and analysis on cyber threats and useful security tips.