Cybersecurity scientists have unwrapped an “interesting email campaign” carried out by a menace actor that has taken to distributing a new malware written in Nim programming language.
Dubbed “NimzaLoader” by Proofpoint scientists, the advancement marks 1 of the rare situations of Nim malware uncovered in the threat landscape.
“Malware developers might pick to use a exceptional programming language to stay clear of detection, as reverse engineers may perhaps not be familiar with Nim’s implementation, or concentrated on establishing detection for it, and for that reason applications and sandboxes may wrestle to analyze samples of it,” the scientists mentioned.
Proofpoint is tracking the operators of the campaign underneath the moniker “TA800,” who, they say, started distributing NimzaLoader starting February 3, 2021. Prior to the latest raft of action, TA800 is known to have predominantly used BazaLoader given that April 2020.
Though APT28 has been beforehand connected to delivering Zebrocy malware utilizing Nim-dependent loaders, the look of NimzaLoader is yet another sign that malicious actors are constantly retooling their malware arsenal to keep away from detection.
Proofpoint’s findings have also been independently corroborated by researchers from Walmart’s threat intelligence team, who named the malware “Nimar Loader.”
Like with the circumstance of BazaLoader, the marketing campaign spotted on February 3 designed use of customized email phishing lures containing a backlink to a intended PDF doc that redirected the recipient to a NimzaLoader executable hosted on Slack, which utilised a fake Adobe icon as component of its social engineering tips.
Once opened, the malware is made to provide the attackers with access to the victim’s Windows units, together with abilities to execute arbitrary instructions retrieved from a command-and-management server — which includes executing PowerShell commands, injecting shellcode into running processes, and even deploy added malware.
Supplemental proof gathered by Proofpoint and Walmart present that NimzaLoader is also being applied to down load and execute Cobalt Strike as its secondary payload, suggesting that threat actors integrate unique strategies into their strategies.
“It is […] unclear if Nimzaloader is just a blip on the radar for TA800 — and the wider risk landscape — or if Nimzaloader will be adopted by other risk actors in the identical way BazaLaoder has attained broad adoption,” the scientists concluded.
Identified this write-up interesting? Follow THN on Facebook, Twitter and LinkedIn to go through far more special articles we write-up.
Some sections of this write-up are sourced from: