Cybersecurity researchers have deployed an “interesting email campaign” conducted by a threatening actor who has been dedicated to distributing new malware written in Nim programming language.
Nicknamed “NimzaLoader” by Proofpoint researchers, the development marks one of the rare cases of Nim malware discovered in the threat landscape.
“Malicious software developers may choose to use a strange programming language to avoid detection, as reverse engineers may not be familiar with the implementation of Nim or may focus on developing its detection and therefore tools and sand deposits may have difficulty analyzing samples, ”the researchers said. dit.
Proofpoint keeps track of campaign operators under the nickname “TA800”, who they say began distributing NimzaLoader as of February 3, 2021. Prior to the last activity bag, it is known that TA800 used BazaLoader predominantly since April 2020.
Although APT28 has previously been linked to Zebrocy malware distribution NIM based chargers, the emergence of NimzaLoader is another sign that malicious actors are constantly reorganizing their arsenal of malware to avoid detection.
Proofpoint’s findings have also been independently corroborated by intelligence team investigators about Walmart’s threats, who called the malware “Nimar Loader.”
As with the BazaLoader case, the campaign detected on February 3 made use of personalized fishing sports by email that contained a link to an alleged PDF document that redirected the recipient to a NimzaLoader executable hosted on Slack, which he used a fake Adobe icon as part of his social engineering tricks.
Once opened, the malware is designed to provide attackers with access to the victim’s Windows systems, as well as capabilities to execute arbitrary commands retrieved from a command and control server, including the execution of PowerShell commands, the shell code injection into running processes and even additional deployment. malicious software.
Additional evidence collected by Proofpoint and Walmart shows that NimzaLoader is also used to download and run Cobalt Strike as a secondary payload, suggesting that threat actors integrate different tactics into their campaigns.
“Is […] it is unclear whether Nimzaloader is just a look at the radar for the TA800 – and the broader panorama of threats – or whether Nimzaloader will be adopted by other threat actors in the same way that BazaLaoder has had widespread adoption. ” , the researchers concluded.