Nivdort: Data-Stealing Trojan Arrives via Spam

Originally posted by McAfee

During the past couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file that usually arrives as a .zip attachment and tries to download other malware. This malware can steal a victim’s credentials, including personal details related to online shopping, banking, and other social networking websites.

Nivdort’s spam campaign

The new spam campaign contains a .zip file as an attachment. The contents of the email are carefully crafted to lure victims using social engineering techniques. The spam email may look like this:

1

The attackers also send fake emails appearing as WhatsApp content to maximize their outreach.

2

When an unsuspecting user clicks on the autoplay button, the malware will automatically download from a compromised website and execute. Upon execution it shows an error message to make the victim believe that the file cannot run, but in the background it is busy.

3

Nivdort acts in three cycles.

First cycle

In the first cycle, the malware deobfuscates the packed content, encrypted strings, Windows registry, and API. To decrypt the content, it generates a decryption table from a single DWORD, which will decrypt other contents. The code flow follows:

4

This decryption table will decrypt strings such as dropped filename, run registry entry, service entry etc., as shown below:

5

Second cycle

In the second cycle, the malware first copies itself with the name as decrypted in the first cycle and then creates a service entry, as shown below:

6

The malware can also disable the infected user’s firewall notifications from the Windows Security Center with the following registry modification:

Adds value: “FirewallDisableNotify”

With data: “1”

To subkey: HKLM\SOFTWARE\Microsoft\Security Center

The malware next creates an autostart registry entry to make sure its copy will be executed upon rebooting:

7

Third cycle

The third cycle collects information such as computer name, IP address, and software and hardware configuration. It can also exfiltrate a victim’s login credentials and credit card data by recording the keystrokes, and can receive further instructions from the attacker:

17

9

It also connects to compromised websites such as prettyguard.net and buildingsuccess.net, which are being used by the malware for running ad campaigns. The code snippet below shows this:

10

11

These domain names are generated randomly as a combination of two strings, such as building + success [.] net, pretty + guard [.] net, from an array of strings decrypted in the first cycle. The array may look like:

12

When we tried to visit these domains, we were redirected to other malware-hosting websites. In this case, cigarettepresident.net redirected to sso.anbtr.com. These websites are flagged by Google Chrome and VirusTotal:

13

14

Intel Security advises users to keep their antimalware signatures up to date at all times. Intel Security products detect this infostealer trojan as Trojan-FHSQ![Partial hash], Trojan-FHSI![Partial hash], and Trojan-FHSA![Partial hash] with DAT Versions 8065 and later.

//]]>