Bangladesh’s e-Government Computer Incident Response Team (BGD e-GOV CIRT) has issued a warning about the widespread presence of harmful software associated with the Nymaim, or Avalanche-Nymaim, loader, suggesting a notable number of potentially compromised devices within Bangladesh’s networks.
As per the latest notification, over 27,000 malware-related incidents have been uncovered within the nation, identified through threat surveillance and data analysis. These incidents point to infected devices attempting to link up with established botnet control servers.
Nymaim, also recognized as the Gozi ISFB loader, is a sophisticated malware system traditionally utilized to disseminate various secondary threats, including banking trojans, ransomware, and data-stealing applications. It was previously linked to the Avalanche botnet, a vast cybercriminal network dismantled during the global Operation Avalanche.
Despite the takedown, CIRT has reported ongoing signs of prior infections and associated activity globally, including in Bangladesh. This indicates that certain systems might still be compromised or that updated versions of the malware are circulating.
CIRT has identified indications of malicious behavior across a minimum of 20 network service providers. Infected devices have been observed attempting to communicate with recognized command servers, affirming the persistence of compromised devices in Bangladesh.
The malware operates through multiple stages. Following infiltration, it can download additional harmful software, enabling cyber attackers to alter its functionality over time, making it challenging to detect. Nymaim is crafted to pilfer sensitive data like banking credentials, card details, and system specifics, which can be exploited for fraudulent activities, account breaches, and identity theft.
According to CIRT, sectors such as finance, government, retail, and healthcare are common targets, although regular users could also be impacted.
The malware commonly spreads via malicious advertisements, infected email attachments, and compromised websites. In some instances, users can fall victim to infections by simply visiting a malicious webpage. Once inside a system, it conceals itself by altering system configurations and placing files in standard directories, employing tactics to evade detection by security tools.
Organizations have been advised by CIRT to enhance network surveillance, particularly focusing on abnormal outbound connections, suspicious domain behavior, and unauthorized executable files. It also recommends blocking known malicious domains and IP addresses, deploying endpoint detection solutions, and conducting routine forensic examinations of systems.
In situations where an infection is suspected, organizations are encouraged to segregate affected devices, reset compromised login credentials, and restore systems from secure backups. The agency has emphasized the importance of reporting potential incidents through its official communication channels as part of a broader strategy to mitigate potential risks.
