Cybersecurity researchers have discovered an email campaign launched by a threat actor by distributing a new malware written in Nim programming language.
The malware dubbed as “NimzaLoader” by Proofpoint researchers said that it is one of the rare instances of Nim malware discovered in the threat landscape.
According to the researchers, malware developers select rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, have not developed a detection for it, and therefore tools and sandboxes may find it difficult to analyze samples of it.
The operators of the campaign known as “TA800,” started distributing NimzaLoader in February. Prior to this, the operators are known to have predominantly used BazaLoader since April 2020.
The hacker group APT28 was previously linked to delivering Zebrocy malware using Nim-based loaders. the appearance of NimzaLoader is yet another sign that malicious actors are constantly retooling their malware arsenal to avoid detection.
Proofpoint’s findings were supported by researchers from Walmart’s threat intelligence team, who named the malware “Nimar Loader.”
The campaign spotted in February made use of personalized email phishing lures containing a link to a supposed PDF document that redirected the recipient to a NimzaLoader executable hosted on Slack, which used a fake Adobe icon as part of its social engineering tricks.
When opened the malware provides the attackers with access to the victim’s Windows systems, besides having the capabilities to execute arbitrary commands retrieved from a command-and-control server — including executing PowerShell commands, injecting shellcode into running processes, and even deploy additional malware.
It was also found that NimzaLoader is also being used to download and execute Cobalt Strike as its secondary payload, suggesting that threat actors integrate different tactics into their campaigns.
The researchers added that it is not sure whether the Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption.
Image Credits : Spiria