SPREAD OF NYMAIM MALWARE INFECTION

dvisory ID: ngCERT-2025-010005

Summary: 

ngCERT has observed a widespread of the Nymaim malware infections across Nigerian cyberspace. The malware originally designed as a ransomware loader has become a multi-functional threat capable of delivering a variety of malicious payloads, such as banking Trojans, ransomware, and remote access tools (RATs). Known for its stealthy and modular design, Nymaim uses advanced techniques to evade detection and maintain persistence on infected systems. By leveraging social engineering, advanced obfuscation, and modularity, Nymaim poses a significant threat to individuals and organizations. Defending against such threats requires a multi-layered approach, including regular software updates, user awareness, and advanced threat detection tools. As Nymaim continues to evolve, staying vigilant and proactive is essential to mitigate its impact.

Damage/Probability: CRITICAL/HIGH

Platform(s): Operating Systems

Description: 

Nymaim malware attack chain reflects a carefully crafted sequence of steps designed to infiltrate systems, evade detection, and achieve the attacker’s objectives. Its initial attack process involves leveraging various entry points to compromise the target’s system. The most common attack vectors include phishing emails, drive-by downloads, compromised websites, execution and payload deployment. Upon execution, Nymaim decrypts and unpacks its malicious code, which is initially stored in an encrypted format. This ensures the payload remains undetected during the initial stages of infection. To maintain access, Nymaim modifies system settings, such as registry keys, to achieve persistence. It may also create scheduled tasks to ensure it runs every time the system starts, even after a reboot. Nymaim connects to a Command-and-Control (C2) server to download additional payloads tailored to the attacker’s objectives.

Consequences: 

Solution:  

ngCERT recommends the following:

• Keep all software and operating systems up to date.

• Regularly monitor network traffic for anomalous behavior.

• Train employees to identify phishing attempts and suspicious links.

• Effective use of anti-malware software and firewall system.

• Encourage reporting of suspicious emails to IT teams promptly.

• Notify stakeholders and comply with any regulatory requirements in case of a data breach.

References:

• https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded
• https://www.eset.com/int/about/newsroom/press-releases/announcements/nymaim-ransomware-still-active-finding-new-infection-vector-to-spread-black-hat-seo/
• https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim