Taking a Close Look at Data-Stealing NionSpy File Infector

By on

This blog was written by Sanchit Karve.

W32/NionSpy is a family of malware that steals information from infected machines and replicates to new machines over networks and removable thumb drives. Aside from stealing keystrokes, passwords, Bitcoins, system information, and files on disk, NionSpy (also known as Mewsei and MewsSpy) can record video (using the webcam), audio (using the microphone), take screenshots, and use infected machines as a proxy tunnel to connect to other machines within the network.

NionSpy is a prepender virus: It prefixes its malicious binary onto current executable files on a machine—as opposed to other data-stealing Trojans, which store all their functions in a single file. Viruses must ensure that they restore the original file prior to its execution to increase the likelihood that the original binary executes correctly.

Nionspy file structure

Most viruses decrypt the original binary just before execution. NionSpy, on the other hand, stores its decryption code in a separate DLL outside the stub to make file recovery difficult.

The malware achieves this by storing an encrypted copy of the DLL within every file it infects. Once an infected file executes, it registers itself to open all executable and shortcut files as a parameter to its /START command-line argument as shown:

%APPDATA%\{random folder name}\{malware executable}.exe [/RUNAS] /START “%1” %*

When the malware executable runs with an executable file as the /START parameter, it decrypts and loads the embedded DLL located within itself, opens the executable passed as the argument, and checks whether it is infected by finding its infection marker, “aCfG92KX27EhW6CqpcSo4Y94BnUrFmnNkP5EnT.” If the marker is not found, the executable runs as is. However, if the marker is found, the original file is decrypted by calling the “NP8IGN” function exported by the decrypted DLL, stored temporarily in the %TEMP% folder with a random name, and then executes.

Nionspy file execution

NionSpy’s file execution.

The location of the encrypted DLL and the hijacked file are obfuscated by an XOR/NEG operation, which when decrypted contains the location of the data, its size, and a seed value.

The seed is fed to Microsoft’s C implementation of rand()—a pseudo random number generator.

The virus also stores 4 to 7 bytes of information about its origin. If the file is created by infecting an executable file on disk, the term repl (for replication) is encrypted. If the file consists of just the dropper for the file infector, the term {random letter}.ode is encrypted and stored.

The sample contains a bit fewer than 700 strings encrypted in the same fashion based on rand(). The seed, length, and location of the string are stored in a special table accessed by the main string decryption routine. The strings are common for both the infector stub and the embedded DLL. However, not all strings in the table are used in the malware source code. Some strings, for example, seem to be intentionally left for researchers to discover.

The decrypted strings provide a wealth of information about the capabilities of the virus and even include an internal version number that is transmitted to the control server with every request.


The sample actively looks for installed firewall software and intentionally delays and limits its network communication if it finds a product from its blacklist.

One uncommon aspect to NionSpy is its inclusion of almost 200 MD5 hashes in the encrypted string table. When a command is sent by the virus’ control server, its MD5 hash is calculated and compared against the hashes in the malware table to decide which operation to perform. We suspect this decision was made to increase the effort required to statically analyze the sample. The following screen shows some of the MD5s along with their original strings:

We know of seven versions of the latest W32/NionSpy variant:

Internal Version Number Compile Timestamp MD5 Hash 02-JAN-2015 04227bd0f50a0ee9db78ca8af290647a 04-JAN-2015 7895e3bf8b614e4f4953295675f267eb 13-JAN-2015 1ccc528390573062ff2311fcfd555064 08-MAR-2015 d9e757fbc73568c09bcaa8bd0e47ad7d 13-MAR-2015 9750018a94d020a3d16c91a9495a7ec0 22-MAR-2015 722d97e222a1264751870a7ccc10858b 01-APR-2015 d7c20c6dbfca00cb1014adc25ad52274

Older variants of NionSpy are very primitive compared with the latest strain. Most strings are stored unencrypted, while about 40 to 50 strings are obfuscated using a 1-byte XOR key. The malware code appears to be more or less constant across versions with each change including small fixes for bugs and typos as well as the addition of a few enhancements (such as the ability to record audio for a variable amount of time in Version 7.6, instead of a constant 30 seconds in older versions). Some versions are compiled with different compilers to generate different binaries but are functionally identical.

Four versions of the older NionSpy variant are present in the wild.

Internal Version Number Compile Timestamp MD5 Hash
5.7 25-OCT-2013 b25c2d582734feb47c73e64b5e5c3c7e
5.8 26-OCT-2013 24a212895b66b5482d689184298fc7d6
6.2 31-OCT-2013 e9bbb8844768e4e98888c02bd8fe43d5
7.6 13-FEB-2013 6fa6e2ea19b37fc500c0b08c828aacc2


Because older NionSpy variants do not use MD5 hashes to check for control server commands, all commands are visible in their binaries:

Control Server Command Description
ls Sends listings of files in a directory
webcam Sends a video recording from the webcam to the control server
screenshot Sends a screenshot to the control server
recorder Records audio with microphone and sends to the control server
msgbox Displays a message to the infected user
backconnect Allows the attacker to use the infected machine as a proxy tunnel to connect to another machine
shutdown Powers off the infected machine
reboot Restarts the infected machine
download, upload Downloads or uploads a file
tray_open, tray_close Opens and closes the CD tray
exec_show, exec_hide Unknown
lock_distribution, unlock_distribution Unknown


NionSpy contacts the following control servers:

  • ftspbz.net46.net
  • nwoccs.zapto.org
  • z3mm6cupmtw5b2xx.onion

McAfee customers are already protected by the following detections:

  • W32/NionSpy
  • W32/NionSpy!dr
  • W32/NionSpy.b!dr
  • W32/NionSpy.c!dr
  • W32/NionSpy!dam
  • And other generic signatures

YARA Signature
rule NionSpy


description = “Triggers on old and new variants of W32/NionSpy file infector”


$variant2015_infmarker = “aCfG92KXpcSo4Y94BnUrFmnNk27EhW6CqP5EnT”
$variant2013_infmarker = “ad6af8bd5835d19cc7fdc4c62fdf02a1”
$variant2013_string = “%s?cstorage=shell&comp=%s”


uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($variant*)


Leave a Comment

Similar articles

Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims. Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can ...
Read Blog
This post was written with contributions from the McAfee Advanced Threat Research team.   The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download ...
Read Blog
Pay-per-install, or PPI for short, is a type of software program that presents users with third-party offers while they are in the middle of another download. If a user clicks on the third-party advertisement, the software developer earns money from the download. One specific PPI program has caught the attention of our McAfee ATR team, ...
Read Blog