Installation
Nivdort variants can be installed on your PC when you open a spam email attachment. We have seen variants using the following spam email attachment names:
- 69ionela.zip
- antoinehope.exe
- agencydeptrenewals.exe
- coupon.pdf ___________________________________________.exe
- genieva.exe
- jasonisland.exe
- kimberley.exe
- mal_exe_admprofficek.pdf___________________________________________.exe
- thomas.exe
When you open the attachment the malware creates a directory in <system folder> with a random name, for example <system folder>\kzwrdrxpjplmfhg.
It also drops a copy of itself in %SystemRoot%\temp, <system folder> and %TEMP% with a random file name. For example, we have seen variants using the following file names:
It also drops the following configuration files in directory it created in <system folder>
It changes the following registry entry so that it runs each time you start your PC. The value can imitate clean service, for example:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
With data: "Endpoint Controls WinHTTP Web"
Sets value: "<system folder>\bispxdqwmc.exe"
Payload
Steals your sensitive information
This malware can monitor your web browser activity. It then logs your user name and password when you access financial websites and online shops.
The stolen information is sent to a remote server via PHP. We have seen it connect to the following websites:
- ableeach.net
- answerbeauty.net
- answergarden.net
- answerreport.net
- difficultbeauty.net
- difficultgarden.net
- difficultmarket.net
- difficultreport.net
- elementarimagine.com
- finishbetween.net
- finishproduce.net
- finishstudent.net
- finishsucceed.net
- glassbeauty.net
- glassgarden.net
- glassreport.net
- heardbeauty.net
- heardgarden.net
- heardmarket.net
- heardreport.net
- jumpgray.net
- leavebetween.net
- leaveproduce.net
- leavestudent.net
- leavesucceed.net
- liarshot.net
- likrgreen.net
- likrlift.net
- likrsound.net
- lookloss.net
- mojoguia.com
- movegray.net
- necessarymarket.net
- necessaryreport.net
- pengthecon.com
- pleasantbeauty.net
- pleasantmarket.net
- pleasantreport.net
- probablybetween.net
- probablyproduce.net
- probablystudent.net
- probablysucceed.net
- salthave.net
- southabout.net
- subjectbetween.net
- subjectproduce.net
- subjectstudent.net
- sweetbetween.net
- sweetproduce.net
- sweetstudent.net
- sweetsucceed.net
- tablewash.net
- theirgreen.net
- theirlift.net
- theirsound.net
- themorrefk.com
- winterproduce.net
- winterstudent.net
- yourenjoy.net
We have also seen the malware download other components and configurations files when it contact the remote website.
Additional information
The target website contacted by the malware is constructed from a list of words in the malware code. The malware combines two of the words and adds .com or .net to generate the domain. For example, from the following list of words:
- gray
- jump
- move
- their
- sound
The malware could generate the following domains to access:
- jumpgray.net
- movegray.net
- theirsound.net
By generating domains in this way the malware makes is more difficult to predict which one will communicate back to the infected machine with a malicious download.
Analysis by Zarestel Ferrer
