Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Published on March 3, 2017 10:50 UTC by GovCERT.ch (permalink)
Last updated on March 3, 2017 10:58 UTC
Nymaim is active worldwide since at least 2013 and is also responsible for many infections in Switzerland. Sinkhole Data shows that Nymaim is responsible for about 2% of infected de- vices 1 in Switzerland that hit sinkholes the last few days.
When we looked at the Nymaim trojan in January, we were stunned by their powerful code obfuscation techniques and wrote an IDAPython script to deobfuscate the code using the debugger engine. Later we found similar tools already available in the public to do this using code emulation. Nevertheless, we decided to publish a paper about our approach, as it is a very nice case study to demonstrate how debugger orchestration works in IDAPython, and to explain different disassembly strategies that can be used. Instrumenting the debugger means to set breakpoints in scripts and to run the code in pieces, which has a very dynamic and fascinating impact on the IDA GUI:
In addition, the Unicorn engine was applied as an alternative to the debugger. Finally, the deobfuscation of Windows API calls using the debugger approach is described - a problem where emulation techniques usually doesn't work due to the lack of a full operating system environment. Some generalizations of the deobfuscation algorithm are discussed to be prepared for potential further developments of the obfuscation, and a few unusual locations are depicted where the obfuscation was applied on non-constant input parameters.
Nymaim is active worldwide since at least 2013 and is also responsible for many infections in Switzerland. We recorded the IP addresses that one of the current C&C domains (olseneinfeis.com) revolved to over the past weeks. The domain name is hosted on a fast flux botnet; the IP addresses are encrypted, and one of them acts as a checksum for the other ones (more about this can be found here). We found nearly 5'000 valid and decrypted IP addresses, after having removed the checksum IP; These are mostly DSL lines, so we suspect a botnet behind them. The following picture shows the distribution of these IP addresses by country:
Our whitepaper can be downloaded here:
Back to top