Cybersecurity researchers have unwrapped an “fascinating e-mail marketing campaign” undertaken by a menace actor that has taken to distributing a brand new malware written in Nim programming language.
Dubbed “NimzaLoader” by Proofpoint researchers, the event marks one of many uncommon cases of Nim malware found within the menace panorama.
“Malware builders might select to make use of a uncommon programming language to keep away from detection, as reverse engineers will not be aware of Nim’s implementation, or centered on growing detection for it, and subsequently instruments and sandboxes might wrestle to research samples of it,” the researchers mentioned.
Proofpoint is monitoring the operators of the marketing campaign beneath the moniker “TA800,” who, they are saying, began distributing NimzaLoader beginning February 3, 2021. Previous to the most recent raft of exercise, TA800 is thought to have predominantly used BazaLoader since April 2020.
Whereas APT28 has been beforehand linked to delivering Zebrocy malware utilizing Nim-based loaders, the looks of NimzaLoader is one more signal that malicious actors are continuously retooling their malware arsenal to keep away from detection.
Proofpoint’s findings have additionally been independently corroborated by researchers from Walmart’s menace intelligence crew, who named the malware “Nimar Loader.”
Like with the case of BazaLoader, the marketing campaign noticed on February 3 made use of customized e-mail phishing lures containing a hyperlink to a supposed PDF doc that redirected the recipient to a NimzaLoader executable hosted on Slack, which used a pretend Adobe icon as a part of its social engineering tips.
As soon as opened, the malware is designed to supply the attackers with entry to the sufferer’s Home windows methods, alongside capabilities to execute arbitrary instructions retrieved from a command-and-control server — together with executing PowerShell instructions, injecting shellcode into operating processes, and even deploy further malware.
Extra proof gathered by Proofpoint and Walmart present that NimzaLoader can be getting used to obtain and execute Cobalt Strike as its secondary payload, suggesting that menace actors combine totally different ways into their campaigns.
“It’s […] unclear if Nimzaloader is only a blip on the radar for TA800 — and the broader menace panorama — or if Nimzaloader can be adopted by different menace actors in the identical approach BazaLaoder has gained broad adoption,” the researchers concluded.