ESET researchers spotted a 63 percent uptick in the number of Nymaim malware detections during the first half of 2016 compared to the same time in 2015 and noticed a series of targeted attacks in Brazil.
Most appeared in Poland which accounted for 54 percent of all Nymaim detections this year but researchers noted highly target attacks directed at financial institutions in Brazil, according to a July 12 blog post.
“Despite the relatively low number of detections, which is to be expected due to the very specific target selection, Brazil accounts for 0.07% of all detection incidents involving this variant, placing it 11th in the list of countries where this variant was most often detected,” the post said.
The attacks in Brazil appeared to target selected victims soon after Nymaim was repackaged into Nymaim.BA, when both the downloader and Nymaim.BA payload were only able to be detected by a few antivirus engines, the post said.
Researchers said the latest version of the malware is spread via spearphishing campaigns using emails that contain malicious Microsoft Word or macros, unlike the 2013 version which used drive-by-download attacks delivered via compromised websites.
The macros uses social engineering “tricks” in an attempt to work around default Microsoft Word security settings that will prevent the malicious documents from running.
The document contains a block of “garbled text,” presumably to trick the victims into thinking something needs to be done in order to decode or decrypt the file, researchers said.
Next the app displays a message that reads “Enable Content to run in compatibility mode,” which is formatted very similar to the warning bar Microsoft uses to want users that macros in the current document has been disabled.
Researchers said the tricks may work well to convince users of the English versions of Microsoft Word to enable macros but are less compelling if the document is opened in a different language version of Word.
Users should blacklist the IP addresses, listed in the blog, that have been contacted by the malware and the URLs at the proxy, assuming the network supports this kind of filtering, researchers recommended in the post. They also suggested using anti-malware protection on endpoints as well as employing anti-phishing and web control capabilities.
In April 2016, researchers spotted Nymaim source code combined with Gozi IFSB banking malware to form the banking trojan GozNym to hit U.S. and Canadian banks.