Malicious Word Doc sends Nymaim and Password Stealer

NOTES:
Yesterday a mass malware emailĀ  campaign was sent out to businesses. A similar campaign was conducted in mid March 2016. Below is the post infection traffic associated with this campaign and an example of how this malware steals your data if a user is tricked into enabling macros. Based on the traffic patterns I tentatively classified it as Nymaim along another info stealing Trojan.

ASSOCIATED DOMAINS:

  • 146.247.26.14 – ovitkizatelefon.com – GET /ovitki/uploads/office.exe –Nymaim DOWNLOAD
  • 5.189.177.9 – kcrznhnlpw.com – POST /ip2rqdxn8h/index.php –Nymaim POST INFECTION TRAFFIC
  • 5.189.177.9 – nylon.com – POST /knbwm.php – POST INFECTION TRAFFIC
  • 65.100.209.36 – yoox.com – POST /ojlbxjsz.php – POST INFECTION TRAFFIC

 

ASSOCIATED DOMAINS AFTER REBOOT:

  • 62.143.3.182 – carvezine.com – POST /kou.php – POST INFECTION TRAFFIC
  • 31.184.234.22 – GET /links.php – Nymaim INJECTION CONTROL
  • 217.254.84.57 – nylon.com – POST /eld.php – POST INFECTION TRAFFIC
  • 95.130.160.63 – carvezine.com – POST /oxpcc.php – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Malicious word document received via an email attachment presenting user with Enable Content [MACROS]

 

Shown above: After Enabling content [Macros] office.exe is downloaded and infection chain begins

 

Shown above: Post infection traffic associated with Nymaim “/index.php

 

Shown above: Payload delivered by Nymaim

 

Shown above: Injected malicious files after reboot set for start-up

 

Shown above: Post infection traffic after reboot highlighted in red

 

Shown above: To analyze the extent of the infection I visited ebay.com. Shortly after arriving at the site I was presented with a request to sign into my account. I entered my user account hello and my password goodbye .

 

Shown above: Traffic associated with ebay connection. Highlighted area shows HTTP GET request to ebay.com and also a HTTP GET request to the Nymaim injection control IP.

 

Shown above: Nymaim login injection page recorded my Login name and password

 

PAYLOAD FROM MALICIOUS WORD DOCUMENT: