Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging Threat on TROJ_NYMAIM

    • Updated:
    • 11 Jul 2016
    • Product/Version:
    • Deep Discovery Analyzer 5.0
    • Deep Discovery Analyzer 5.1
    • Deep Discovery Analyzer 5.5
    • Deep Discovery Email Inspector 2.0
    • Deep Discovery Email Inspector 2.1
    • Deep Discovery Email Inspector 2.5
    • Deep Discovery Inspector 3.6
    • Deep Discovery Inspector 3.7
    • Deep Discovery Inspector 3.8
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Hosted Email Security 2.0
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 8.0 2000/2003/2007
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • Worry-Free Business Security Services 5.8
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

NYMAIM malware was distributed via Black Hat SEO and Black Hole Exploit Kit (BHEK) in 2013. HTML lock screen was the known behavior during that time. As evolution continued, this malware delivered more torment in 2014 by distributing VAWTRAK, MIUREF, PONY and URSNIF. 

In 2015, this menace started to disseminate more banking Trojans with a twist. This version now checks system time via the GetSystemTime function before it continues its routine. This is an anti-analysis technique used to avoid replication of its behavior. 

NYMAIM has been distributing GOZI malware recently–a threat known for spy capability and detection evasion through obfuscation.

NYMAIM Infection Chain

Anti-Spam Pattern

LayerDetectionPattern VersionRelease Date
ARRIVALSPAM MAILAS229004/28/2016

VSAPI Pattern (Malicious File Detection)

LayerPatternPattern VersionRelease Date
INFECTIONHS_NYMAIM.SMVS12.481.0004/21/2016
INFECTIONTROJ_HPNYMAIM.SM212.380.0803/04/2016
INFECTIONTROJ_HPNYMAIM.SM112.372.0802/29/2016
INFECTIONTROJ_HPNYMAIM.SM12.366.0602/26/2016
INFECTIONTROJ_NYMAIM.SM10.678.0303/21/2014

WRS Pattern (Malicious URL and Classification)

LayerURLCategoryBlocking Date
EXPOSUREamoretanointrodanio39{blocked}.com/posts/amr507.exeVirus Accomplice02/23/2016
EXPOSUREamoretanointrodano31{blocked}.com/posts/amr507.exeVirus Accomplice02/23/2016
EXPOSUREamoretanountrodano32{blocked}.com/posts/amr507.exeVirus Accomplice02/23/2016
EXPOSUREbanyoperdem{blocked}.com/system/logs/office.exeDisease Vector04/19/2016
EXPOSUREbanyoperdem{blocked}.com:80/system/logs/office.exeDisease Vector04/19/2016
EXPOSUREsecureserver18{blocked}.com/dd/dl56.exeVirus Accomplice03/20/2016
EXPOSUREytugctbfm{blocked}.com/bewfa5ovkx/index.phpC&C04/20/2016
EXPOSUREcarsi12{blocked}.com/wp-includes/images/office.exeDisease Vector04/07/2016
EXPOSURE85{blocked}.171.195.89:80/zdf3nb6i/index.phpC&C04/19/2016
EXPOSURE5{blocked}.189.177.9:80/zdf3nb6i/index.phpC&C04/29/2016
EXPOSURE209{blocked}.11.159.179:80/zdf3nb6i/index.phpC&C04/20/2016
EXPOSUREkcrznhnlpw{blocked}.com/zdf3nb6i/index.phpDisease Vector04/06/2016
EXPOSUREsociallyvital{blocked}.com/images/office.exeDisease Vector03/29/2016
EXPOSUREmbcqjsuqsd{blocked}.com//fa7vi1df/index.phpDisease Vector04/05/2016
EXPOSURE85{blocked}.171.195.89:80/fa7vi1df/index.phpC&C04/19/2016
EXPOSURE177{blocked}.35.50.167:80/fa7vi1df/index.phpC&C04/29/2016
EXPOSUREytugctbfm{blocked}.com/bewfa5ovkx/index.phpC&C04/20/2016
EXPOSURE85{blocked}.171.195.89/bewfa5ovkx/index.phpC&C04/15/2016
EXPOSURE5{blocked}.154.240.145/bewfa5ovkx/index.phpC&C04/20/2016
 
Always use the latest pattern available to detect the old and new variants of TROJ_NYMAIM.
Details
Public

SOLUTION MAP - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAnti-Spam PatternNetwork Pattern
OfficeScan10.6 and aboveUpdate Pattern via web consoleUpdate Pattern via web consoleEnable Web Reputation Service*Update Pattern via web consoleNot ApplicableUpdate Pattern via web console
Worry Free Business SuiteStandardNot Applicable
Advanced/MSAUpdate Pattern via web console
Hosted
Deep Security8.0 and aboveNot ApplicableNot ApplicableUpdate Pattern via web console
ScanMailSMEX 10.0 and laterNot ApplicableUpdate Pattern via web consoleNot Applicable
SMD 5.0 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and laterNot ApplicableUpdate Pattern via web console
DDAN
DDEI
 
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation Services features.

Recommendations

Threat Reports

You may also refer to Submitting suspicious or undetected virus for file analysis to Technical Support using Threat Query Assessment KB article.

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1114570
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.