{"id":42653,"date":"2015-04-14T05:06:29","date_gmt":"2015-04-14T12:06:29","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=42653"},"modified":"2025-06-06T01:07:10","modified_gmt":"2025-06-06T08:07:10","slug":"taking-a-close-look-at-data-stealing-nionspy-file-infector","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/","title":{"rendered":"Taking a Close Look at Data-Stealing NionSpy File Infector"},"content":{"rendered":"

This blog was written by Sanchit Karve.<\/em><\/p>\n

W32\/NionSpy is a family of malware that steals information from infected machines and replicates to new machines over networks and removable thumb drives. Aside from stealing keystrokes, passwords, Bitcoins, system information, and files on disk, NionSpy (also known as Mewsei and MewsSpy) can record video (using the webcam), audio (using the microphone), take screenshots, and use infected machines as a proxy tunnel to connect to other machines within the network.<\/p>\n

NionSpy is a prepender virus: It prefixes its malicious binary onto current executable files on a machine\u2014as opposed to other data-stealing Trojans, which store all their functions in a single file. Viruses must ensure that they restore the original file prior to its execution to increase the likelihood that the original binary executes correctly.<\/p>\n

Most viruses decrypt the original binary just before execution. NionSpy, on the other hand, stores its decryption code in a separate DLL outside the stub to make file recovery difficult.<\/p>\n

The malware achieves this by storing an encrypted copy of the DLL within every file it infects. Once an infected file executes, it registers itself to open all executable and shortcut files as a parameter to its \/START command-line argument as shown:<\/p>\n

%APPDATA%\\{random folder name}\\{malware executable}.exe [\/RUNAS] \/START “%1” %*<\/p>\n

When the malware executable runs with an executable file as the \/START parameter, it decrypts and loads the embedded DLL located within itself, opens the executable passed as the argument, and checks whether it is infected by finding its infection marker, \u201caCfG92KX27EhW6CqpcSo4Y94BnUrFmnNkP5EnT.\u201d If the marker is not found, the executable runs as is. However, if the marker is found, the original file is decrypted by calling the \u201cNP8IGN\u201d function exported by the decrypted DLL, stored temporarily in the %TEMP% folder with a random name, and then executes.<\/p>\n

NionSpy’s file execution.<\/em><\/p>\n

The location of the encrypted DLL and the hijacked file are obfuscated by an XOR\/NEG operation, which when decrypted contains the location of the data, its size, and a seed value.<\/p>\n

\"\"<\/p>\n

The seed is fed to Microsoft\u2019s C implementation of rand()<\/a>\u2014a pseudo random number generator.<\/p>\n

\"\"<\/p>\n

The virus also stores 4 to 7 bytes of information about its origin. If the file is created by infecting an executable file on disk, the term repl<\/em> (for replication) is encrypted. If the file consists of just the dropper for the file infector, the term {random letter}.ode<\/em> is encrypted and stored.<\/p>\n

\"\"<\/p>\n

The sample contains a bit fewer than 700 strings encrypted in the same fashion based on rand(). The seed, length, and location of the string are stored in a special table accessed by the main string decryption routine. The strings are common for both the infector stub and the embedded DLL. However, not all strings in the table are used in the malware source code. Some strings, for example, seem to be intentionally left for researchers to discover.<\/p>\n

\"\"<\/p>\n

The decrypted strings provide a wealth of information about the capabilities of the virus and even include an internal version number that is transmitted to the control server with every request.<\/p>\n

\"\"<\/p>\n

 <\/p>\n

\"\"<\/p>\n

The sample actively looks for installed firewall software and intentionally delays and limits its network communication if it finds a product from its blacklist.<\/p>\n

\"\"<\/p>\n

One uncommon aspect to NionSpy is its inclusion of almost 200 MD5 hashes in the encrypted string table. When a command is sent by the virus\u2019 control server, its MD5 hash is calculated and compared against the hashes in the malware table to decide which operation to perform. We suspect this decision was made to increase the effort required to statically analyze the sample. The following screen shows some of the MD5s along with their original strings:<\/p>\n

\"\"<\/p>\n

We know of seven versions of the latest W32\/NionSpy variant:<\/p>\n

\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n
Internal Version Number<\/strong><\/td>\nCompile Timestamp<\/strong><\/td>\nMD5 Hash<\/strong><\/td>\n<\/tr>\n
5.8.6.0<\/td>\n02-JAN-2015<\/td>\n04227bd0f50a0ee9db78ca8af290647a<\/td>\n<\/tr>\n
5.8.7.0<\/td>\n04-JAN-2015<\/td>\n7895e3bf8b614e4f4953295675f267eb<\/td>\n<\/tr>\n
6.0.0.0<\/td>\n13-JAN-2015<\/td>\n1ccc528390573062ff2311fcfd555064<\/td>\n<\/tr>\n
6.1.9.1<\/td>\n08-MAR-2015<\/td>\nd9e757fbc73568c09bcaa8bd0e47ad7d<\/td>\n<\/tr>\n
6.2.1.1<\/td>\n13-MAR-2015<\/td>\n9750018a94d020a3d16c91a9495a7ec0<\/td>\n<\/tr>\n
6.2.3.0<\/td>\n22-MAR-2015<\/td>\n722d97e222a1264751870a7ccc10858b<\/td>\n<\/tr>\n
6.2.5.1<\/td>\n01-APR-2015<\/td>\nd7c20c6dbfca00cb1014adc25ad52274<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Older variants of NionSpy are very primitive compared with the latest strain. Most strings are stored unencrypted, while about 40 to 50 strings are obfuscated using a 1-byte XOR key. The malware code appears to be more or less constant across versions with each change including small fixes for bugs and typos as well as the addition of a few enhancements (such as the ability to record audio for a variable amount of time in Version 7.6, instead of a constant 30 seconds in older versions). Some versions are compiled with different compilers to generate different binaries but are functionally identical.<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

Four versions of the older NionSpy variant are present in the wild.<\/p>\n

\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n
Internal Version Number<\/strong><\/td>\nCompile Timestamp<\/strong><\/td>\nMD5 Hash<\/strong><\/td>\n<\/tr>\n
5.7<\/td>\n25-OCT-2013<\/td>\nb25c2d582734feb47c73e64b5e5c3c7e<\/td>\n<\/tr>\n
5.8<\/td>\n26-OCT-2013<\/td>\n24a212895b66b5482d689184298fc7d6<\/td>\n<\/tr>\n
6.2<\/td>\n31-OCT-2013<\/td>\ne9bbb8844768e4e98888c02bd8fe43d5<\/td>\n<\/tr>\n
7.6<\/td>\n13-FEB-2013<\/td>\n6fa6e2ea19b37fc500c0b08c828aacc2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

 <\/p>\n

Because older NionSpy variants do not use MD5 hashes to check for control server commands, all commands are visible in their binaries:<\/p>\n

\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Control Server Command<\/strong><\/td>\nDescription<\/strong><\/td>\n<\/tr>\n
ls<\/td>\nSends listings of files in a directory<\/td>\n<\/tr>\n
webcam<\/td>\nSends a video recording from the webcam to the control server<\/td>\n<\/tr>\n
screenshot<\/td>\nSends a screenshot to the control server<\/td>\n<\/tr>\n
recorder<\/td>\nRecords audio with microphone and sends to the control server<\/td>\n<\/tr>\n
msgbox<\/td>\nDisplays a message to the infected user<\/td>\n<\/tr>\n
backconnect<\/td>\nAllows the attacker to use the infected machine as a proxy tunnel to connect to another machine<\/td>\n<\/tr>\n
shutdown<\/td>\nPowers off the infected machine<\/td>\n<\/tr>\n
reboot<\/td>\nRestarts the infected machine<\/td>\n<\/tr>\n
download, upload<\/td>\nDownloads or uploads a file<\/td>\n<\/tr>\n
tray_open, tray_close<\/td>\nOpens and closes the CD tray<\/td>\n<\/tr>\n
exec_show, exec_hide<\/td>\nUnknown<\/td>\n<\/tr>\n
lock_distribution, unlock_distribution<\/td>\nUnknown<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

 <\/p>\n

NionSpy contacts the following control servers:<\/p>\n

    \n
  • 109.195.54.18:7978<\/li>\n
  • 176.31.246.49:14141<\/li>\n
  • 178.62.233.140:50000<\/li>\n
  • 37.139.15.65:14088<\/li>\n
  • 46.32.233.54:53535<\/li>\n
  • 62.75.179.223:11111<\/li>\n
  • 62.75.179.223:19093<\/li>\n
  • 72.167.201.238:11080<\/li>\n
  • 78.46.36.35:33533<\/li>\n
  • 85.214.252.4:9000<\/li>\n
  • ftspbz.net46.net<\/li>\n
  • nwoccs.zapto.org<\/li>\n
  • z3mm6cupmtw5b2xx.onion<\/li>\n<\/ul>\n

    McAfee customers are already protected by the following detections:<\/p>\n

      \n
    • W32\/NionSpy<\/li>\n
    • W32\/NionSpy!dr<\/li>\n
    • W32\/NionSpy.b!dr<\/li>\n
    • W32\/NionSpy.c!dr<\/li>\n
    • W32\/NionSpy!dam<\/li>\n
    • And other generic signatures<\/li>\n<\/ul>\n

      YARA Signature<\/strong><\/h2>\n

      rule NionSpy
      \n{<\/p>\n

      meta:<\/p>\n

      description = “Triggers on old and new variants of W32\/NionSpy file infector”<\/p>\n

      strings:<\/p>\n

      $variant2015_infmarker = “aCfG92KXpcSo4Y94BnUrFmnNk27EhW6CqP5EnT”
      \n$variant2013_infmarker = “ad6af8bd5835d19cc7fdc4c62fdf02a1”
      \n$variant2013_string = “%s?cstorage=shell&comp=%s”<\/p>\n

      condition:<\/p>\n

      uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($variant*)<\/p>\n

      }<\/p>\n","protected":false},"excerpt":{"rendered":"

      This blog was written by Sanchit Karve. W32\/NionSpy is a family of malware that steals information from infected machines and…<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[338,142,180],"coauthors":[4136],"class_list":["post-42653","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-endpoint-protection","tag-tag-identity-theft","tag-malware"],"acf":[],"yoast_head":"\nTaking a Close Look at Data-Stealing NionSpy File Infector | McAfee Blog<\/title>\n<meta name=\"description\" content=\"NionSpy prefixes its malicious binary onto executable files--unlike other data-stealing Trojans, which store all their functions in a single file.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Taking a Close Look at Data-Stealing NionSpy File Infector | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"NionSpy prefixes its malicious binary onto executable files--unlike other data-stealing Trojans, which store all their functions in a single file.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2015-04-14T12:06:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-06T08:07:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Nionspy-file-structure.png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Taking a Close Look at Data-Stealing NionSpy File Infector\",\"datePublished\":\"2015-04-14T12:06:29+00:00\",\"dateModified\":\"2025-06-06T08:07:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/\"},\"wordCount\":1095,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/wp-content\/uploads\/041415_1206_ACloserLook1.png\",\"keywords\":[\"endpoint protection\",\"identity theft\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/\",\"name\":\"Taking a Close Look at Data-Stealing NionSpy File Infector | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/wp-content\/uploads\/041415_1206_ACloserLook1.png\",\"datePublished\":\"2015-04-14T12:06:29+00:00\",\"dateModified\":\"2025-06-06T08:07:10+00:00\",\"description\":\"NionSpy prefixes its malicious binary onto executable files--unlike other data-stealing Trojans, which store all their functions in a single file.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/wp-content\/uploads\/041415_1206_ACloserLook1.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/wp-content\/uploads\/041415_1206_ACloserLook1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Taking a Close Look at Data-Stealing NionSpy File Infector\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Taking a Close Look at Data-Stealing NionSpy File Infector | McAfee Blog","description":"NionSpy prefixes its malicious binary onto executable files--unlike other data-stealing Trojans, which store all their functions in a single file.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Taking a Close Look at Data-Stealing NionSpy File Infector | McAfee Blog","og_description":"NionSpy prefixes its malicious binary onto executable files--unlike other data-stealing Trojans, which store all their functions in a single file.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2015-04-14T12:06:29+00:00","article_modified_time":"2025-06-06T08:07:10+00:00","og_image":[{"url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Nionspy-file-structure.png","type":"","width":"","height":""}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Taking a Close Look at Data-Stealing NionSpy File Infector","datePublished":"2015-04-14T12:06:29+00:00","dateModified":"2025-06-06T08:07:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/"},"wordCount":1095,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/wp-content\/uploads\/041415_1206_ACloserLook1.png","keywords":["endpoint protection","identity theft","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/","name":"Taking a Close Look at Data-Stealing NionSpy File Infector | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/wp-content\/uploads\/041415_1206_ACloserLook1.png","datePublished":"2015-04-14T12:06:29+00:00","dateModified":"2025-06-06T08:07:10+00:00","description":"NionSpy prefixes its malicious binary onto executable files--unlike other data-stealing Trojans, which store all their functions in a single file.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#primaryimage","url":"https:\/\/www.mcafee.com\/wp-content\/uploads\/041415_1206_ACloserLook1.png","contentUrl":"https:\/\/www.mcafee.com\/wp-content\/uploads\/041415_1206_ACloserLook1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/taking-a-close-look-at-data-stealing-nionspy-file-infector\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Taking a Close Look at Data-Stealing NionSpy File Infector"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/42653","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=42653"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/42653\/revisions"}],"predecessor-version":[{"id":215166,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/42653\/revisions\/215166"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=42653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=42653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=42653"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=42653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}