This post was written with Rahamathulla Hussain.
During the past couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file that usually arrives as a .zip attachment and tries to download other malware. This malware can steal a victim’s credentials, including personal details related to online shopping, banking, and other social networking websites.
Nivdort’s spam campaign
The new spam campaign contains a .zip file as an attachment. The contents of the email are carefully crafted to lure victims using social engineering techniques. The spam email may look like this:
The attackers also send fake emails appearing as WhatsApp content to maximize their outreach.
When an unsuspecting user clicks on the autoplay button, the malware will automatically download from a compromised website and execute. Upon execution it shows an error message to make the victim believe that the file cannot run, but in the background it is busy.
Nivdort acts in three cycles.
In the first cycle, the malware deobfuscates the packed content, encrypted strings, Windows registry, and API. To decrypt the content, it generates a decryption table from a single DWORD, which will decrypt other contents. The code flow follows:
This decryption table will decrypt strings such as dropped filename, run registry entry, service entry etc., as shown below:
In the second cycle, the malware first copies itself with the name as decrypted in the first cycle and then creates a service entry, as shown below:
The malware can also disable the infected user’s firewall notifications from the Windows Security Center with the following registry modification:
Adds value: “FirewallDisableNotify”
With data: “1”
To subkey: HKLMSOFTWAREMicrosoftSecurity Center
The malware next creates an autostart registry entry to make sure its copy will be executed upon rebooting:
The third cycle collects information such as computer name, IP address, and software and hardware configuration. It can also exfiltrate a victim’s login credentials and credit card data by recording the keystrokes, and can receive further instructions from the attacker:
It also connects to compromised websites such as prettyguard.net and buildingsuccess.net, which are being used by the malware for running ad campaigns. The code snippet below shows this:
These domain names are generated randomly as a combination of two strings, such as building + success [.] net, pretty + guard [.] net, from an array of strings decrypted in the first cycle. The array may look like:
When we tried to visit these domains, we were redirected to other malware-hosting websites. In this case, cigarettepresident.net redirected to sso.anbtr.com. These websites are flagged by Google Chrome and VirusTotal:
Intel Security advises users to keep their antimalware signatures up to date at all times. Intel Security products detect this infostealer trojan as Trojan-FHSQ![Partial hash], Trojan-FHSI![Partial hash], and Trojan-FHSA![Partial hash] with DAT Versions 8065 and later.