Nymaim Malware Appears Again in Europe and North America

After 3 years since its first outbreak, the Nymaim malware appears again and spreads through an aggressive spearphising campaign using malicious Microsoft Word attachments.

Since the detection of the first Nymaim outbreak back in 2013, there have been recorded more than 2.8 million cases of infection through the “kill chain” mechanism, and techniques of avoiding detection. In the first half of 2016, ESET noticed again a significant increase in Nymaim’s detection.

Mainly affecting Poland (54% of detections), Germany (16%) and USA (12%), the renewed variant is detected as Win32/TrojanDownloader.Nymaim.BA, making its reappearance as a comprehensive spearfishing campaign with a malicious attachment (Word .doc) containing “misleading” Macros. The approach used to override the default Microsoft Word security settings through social engineering mechanisms is quite convincing in the English versions of MS Word.

In April, this specific version of the malware was combined with a hybrid variant of Nymaim and Gozi, namely GozNym, targeting financial institutions in North America, and was spread in Latin America, mainly in Brazil. This variant has given cybercriminals the ability to access remotely affected computers, instead of having typical file encryption or blocking effects.

Because of the similarities between the targets in countries with high and low rates of detection, we can be relatively sure that financial institutions remain at the center of this campaign.