Nymaim - obfuscation chronicles
Revision as of 12:48, 31 July 2015 by Eric.freyssinet (talk | contribs) (Text replacement - "/ www." to "/ |Site=www.")
(Publication) Google search: [1]
Nymaim - obfuscation chronicles | |
---|---|
Botnet | Nymaim |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2013 / 2013-08-26 |
Editor/Conference | ESET |
Link | http://www.welivesecurity.com/2013/08/26/nymaim-obfuscation-chronicles/ (Archive copy) |
Author | Jean-Ian Boutin |
Type | Blogpost |
Abstract
“ Last month, my colleague Sébastien Duquette detailed the home campaign, a long-lasting operation consisting of compromised web servers running a malicious Apache module named Darkleech (detected by ESET as Linux/Chapro) that redirects visitors to a Blackhole exploit kit. Sébastien stated that one of the final payloads dropped by this operation was the Win32/Nymaim downloader/ransomware family. In this blog post, we will look at the technical details of this particular malware and how it ends up getting installed on an end-user’s computer. We will also look at the various control flow obfuscation techniques that make its analysis as interesting as it is challenging.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1364, editor = {ESET}, author = {Jean-Ian Boutin}, title = {Nymaim - obfuscation chronicles}, date = {26}, month = Aug, year = {2013}, howpublished = {\url{http://www.welivesecurity.com/2013/08/26/nymaim-obfuscation-chronicles/}}, }