The reviving banking Trojan Nymaim infects computers of Poles

The topic of banking Trojans returns to the main AVLab pages every few months. This time, thanks to Orange CERT Polska, who warns against phishing from the domains @ orange.pl, @ neostrada.pl and @ ibb.waw.pl.

Traditionally, there is an Office file attached, which is not verified by anti-spam filters for macroviruses. Criminals, to encourage the opening of the attached order confirmation, invoice or anything else, must arouse interest. The easiest way to do it is to use the message in the style "attached we send the confirmation of the order in the form of an attachment". In this case, the name of the attached malicious document is "personalized" - the script sending these messages gets the user's name from the field of the recipient to whom the message should be sent. Orange CERT Polska points out that we are not dealing with e-mail leaks.

banking Trojan Nymaim invoice

Regardless of the attachment name, the procedure always looks the same: a malicious document contains macro commands that only after manual activation by the user run dangerous code that downloads and installs Nymaim malware - malicious software specialized in stealing logins and passwords to electronic banking services.

Trojan Nymaim (from 2013 used mainly as a dropper for the TorrentLocker ransomware) was created based on the source code of another malicious program (Gozi). Initially, it provided cybercriminals with remote access to PCs. Later, after the transformation, as a banking Trojan, it was classified by security researchers in the TOP-10 ranking of the most popular malicious financial programs.

banking Trojan Nymaim statistics

After a long break, malware returns to Poland, posing a potential threat to over 200 Polish banks (a dozen or so larger banks, including cooperative banks).

Banking Trojan Nymaim is able to replace a part of the bank's website or add new fields (webinject), as well as inject javascript code (eg as a reference to the external page). In previous versions, an optional bot_proxy module was found that attempts to open ports on the router using the UPNP protocol and is responsible for P2P communication in the botnet.

For the Trojan to steal money from the victim's account, it needs to capture one-off access codes or SMS codes. This can be done using the "webinject" method, by injecting an additional field into the page's source code in the form confirming the transfer, and in a completely different place than the bank client is used to, eg under the cover of additional authorization. The Trojan can perform a transfer to a defined account, or add a post-payee to defined transfers, after the appropriate setting, do not require confirmation by an SMS code.

It is possible that the new campaign with the Nymaim banking Trojan will be as popular as the previous one, when researchers from CERT Polska detected the Trojan's greatest activity in our country - it was about 50% of all observed botnet nodes.

We warn readers to pay attention to what they open. It is true that Microsoft Office and LibreOffice no longer automatically activate the attached macros, but caution is never too much. Such situations are particularly dangerous in workplaces requiring frequent contact with documentation and invoices. Appropriate protection in the form of blocking macroviruses, blocking outgoing network connections for files using the command line (powershell, cmd, wscript, cscript and others) or running such attachments in the sandbox is an absolute minimum to protect the system against malware.



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.