Views:

NYMAIM has been distributing GOZI malware recently–a threat known for spy capability and detection evasion through obfuscation.

NYMAIM Infection Chain

Anti-Spam Pattern

Layer Detection Pattern Version Release Date
ARRIVAL SPAM MAIL AS2290 04/28/2016

VSAPI Pattern (Malicious File Detection)

Layer Pattern Pattern Version Release Date
INFECTION HS_NYMAIM.SMVS 12.481.00 04/21/2016
INFECTION TROJ_HPNYMAIM.SM2 12.380.08 03/04/2016
INFECTION TROJ_HPNYMAIM.SM1 12.372.08 02/29/2016
INFECTION TROJ_HPNYMAIM.SM 12.366.06 02/26/2016
INFECTION TROJ_NYMAIM.SM 10.678.03 03/21/2014

WRS Pattern (Malicious URL and Classification)

Layer URL Category Blocking Date
EXPOSURE amoretanointrodanio39{blocked}.com/posts/amr507.exe Virus Accomplice 02/23/2016
EXPOSURE amoretanointrodano31{blocked}.com/posts/amr507.exe Virus Accomplice 02/23/2016
EXPOSURE amoretanountrodano32{blocked}.com/posts/amr507.exe Virus Accomplice 02/23/2016
EXPOSURE banyoperdem{blocked}.com/system/logs/office.exe Disease Vector 04/19/2016
EXPOSURE banyoperdem{blocked}.com:80/system/logs/office.exe Disease Vector 04/19/2016
EXPOSURE secureserver18{blocked}.com/dd/dl56.exe Virus Accomplice 03/20/2016
EXPOSURE ytugctbfm{blocked}.com/bewfa5ovkx/index.php C&C 04/20/2016
EXPOSURE carsi12{blocked}.com/wp-includes/images/office.exe Disease Vector 04/07/2016
EXPOSURE 85{blocked}.171.195.89:80/zdf3nb6i/index.php C&C 04/19/2016
EXPOSURE 5{blocked}.189.177.9:80/zdf3nb6i/index.php C&C 04/29/2016
EXPOSURE 209{blocked}.11.159.179:80/zdf3nb6i/index.php C&C 04/20/2016
EXPOSURE kcrznhnlpw{blocked}.com/zdf3nb6i/index.php Disease Vector 04/06/2016
EXPOSURE sociallyvital{blocked}.com/images/office.exe Disease Vector 03/29/2016
EXPOSURE mbcqjsuqsd{blocked}.com//fa7vi1df/index.php Disease Vector 04/05/2016
EXPOSURE 85{blocked}.171.195.89:80/fa7vi1df/index.php C&C 04/19/2016
EXPOSURE 177{blocked}.35.50.167:80/fa7vi1df/index.php C&C 04/29/2016
EXPOSURE ytugctbfm{blocked}.com/bewfa5ovkx/index.php C&C 04/20/2016
EXPOSURE 85{blocked}.171.195.89/bewfa5ovkx/index.php C&C 04/15/2016
EXPOSURE 5{blocked}.154.240.145/bewfa5ovkx/index.php C&C 04/20/2016
 
Always use the latest pattern available to detect the old and new variants of TROJ_NYMAIM.

SOLUTION MAP - What should customers do?

Major Products Versions Virus Pattern Behavior Monitoring Web Reputation DCT Pattern Anti-Spam Pattern Network Pattern
OfficeScan 10.6 and above Update Pattern via web console Update Pattern via web console Enable Web Reputation Service* Update Pattern via web console Not Applicable Update Pattern via web console
Worry Free Business Suite Standard Not Applicable
Advanced/MSA Update Pattern via web console
Hosted
Deep Security 8.0 and above Not Applicable Not Applicable Update Pattern via web console
ScanMail SMEX 10.0 and later Not Applicable Update Pattern via web console Not Applicable
SMD 5.0 and later
InterScan Messaging IMSVA 8.0 and above
InterScan Web IWSVA 6.0 and later
Deep Discovery DDI 3.0 and later Not Applicable Update Pattern via web console
DDAN
DDEI
 
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation Services features.
 

Recommendations

Threat Reports

You may also refer to Submitting suspicious or undetected virus for file analysis to Technical Support using Threat Query Assessment KB article.

Keywords: TROJ_NYMAIM,TROJ_NYMAIM information,information on new TROJ_NYMAIM ,TROJ_NYMAIM info,TROJ_NYMAIM threat,TROJ_NYMAIM threat info,NYMAIM,NYMAIM infection,NYMAIM infection chain,NYMAIM infected,NYMAIM about