SCF Advanced Search

  • Total Members: 14062
  • Latest: jagwire
  • Total Posts: 41442
  • Total Topics: 14945
  • Online Today: 614
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Nivdort: Data-Stealing Trojan Arrives via Spam  (Read 2312 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Nivdort: Data-Stealing Trojan Arrives via Spam
« on: 18. February 2016., 18:40:47 »
Nivdort: Data-Stealing Trojan Arrives via Spam

This post was written with Rahamathulla Hussain.

During the past couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file that usually arrives as a .zip attachment and tries to download other malware. This malware can steal a victim’s credentials, including personal details related to online shopping, banking, and other social networking websites.

Nivdort’s spam campaign

The new spam campaign contains a .zip file as an attachment. The contents of the email are carefully crafted to lure victims using social engineering techniques. The spam email may look like this:

The attackers also send fake emails appearing as WhatsApp content to maximize their outreach.

When an unsuspecting user clicks on the autoplay button, the malware will automatically download from a compromised website and execute. Upon execution it shows an error message to make the victim believe that the file cannot run, but in the background it is busy.

Nivdort acts in three cycles.

First cycle

In the first cycle, the malware deobfuscates the packed content, encrypted strings, Windows registry, and API. To decrypt the content, it generates a decryption table from a single DWORD, which will decrypt other contents. The code flow follows:

This decryption table will decrypt strings such as dropped filename, run registry entry, service entry etc., as shown below:

Second cycle

In the second cycle, the malware first copies itself with the name as decrypted in the first cycle and then creates a service entry, as shown below:

The malware can also disable the infected user’s firewall notifications from the Windows Security Center with the following registry modification:

Adds value: “FirewallDisableNotify”

With data: “1”

To subkey: HKLM\SOFTWARE\Microsoft\Security Center

The malware next creates an autostart registry entry to make sure its copy will be executed upon rebooting:

Third cycle

The third cycle collects information such as computer name, IP address, and software and hardware configuration. It can also exfiltrate a victim’s login credentials and credit card data by recording the keystrokes, and can receive further instructions from the attacker:

It also connects to compromised websites such as and, which are being used by the malware for running ad campaigns. The code snippet below shows this:

These domain names are generated randomly as a combination of two strings, such as building + success [.] net, pretty + guard [.] net, from an array of strings decrypted in the first cycle. The array may look like:

When we tried to visit these domains, we were redirected to other malware-hosting websites. In this case, redirected to These websites are flagged by Google Chrome and VirusTotal:

Intel Security advises users to keep their antimalware signatures up to date at all times. Intel Security products detect this infostealer trojan as Trojan-FHSQ![Partial hash], Trojan-FHSI![Partial hash], and Trojan-FHSA![Partial hash] with DAT Versions 8065 and later.

Original article:
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -

Nivdort: Data-Stealing Trojan Arrives via Spam
« on: 18. February 2016., 18:40:47 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising