Cybersecurity scientists have unwrapped an “intriguing email marketing campaign” undertaken by a menace actor that has taken to distributing a new malware penned in Nim programming language.
Dubbed “NimzaLoader” by Proofpoint researchers, the advancement marks just one of the scarce situations of Nim malware discovered in the danger landscape.
“Malware builders may possibly pick out to use a exceptional programming language to prevent detection, as reverse engineers might not be acquainted with Nim’s implementation, or focused on creating detection for it, and as a result resources and sandboxes may perhaps struggle to review samples of it,” the scientists reported.
Proofpoint is tracking the operators of the marketing campaign beneath the moniker “TA800,” who, they say, commenced distributing NimzaLoader beginning February 3, 2021. Prior to the most current raft of activity, TA800 is recognized to have predominantly utilised BazaLoader considering that April 2020.
Though APT28 has been formerly joined to offering Zebrocy malware utilizing Nim-dependent loaders, the visual appeal of NimzaLoader is however yet another signal that malicious actors are frequently retooling their malware arsenal to stay away from detection.
Proofpoint’s conclusions have also been independently corroborated by researchers from Walmart’s danger intelligence crew, who named the malware “Nimar Loader.”
Like with the scenario of BazaLoader, the marketing campaign spotted on February 3 manufactured use of personalized email phishing lures made up of a backlink to a intended PDF doc that redirected the recipient to a NimzaLoader executable hosted on Slack, which applied a phony Adobe icon as portion of its social engineering methods.
The moment opened, the malware is made to give the attackers with obtain to the victim’s Windows systems, alongside abilities to execute arbitrary commands retrieved from a command-and-management server — which include executing PowerShell instructions, injecting shellcode into operating processes, and even deploy added malware.
Supplemental proof gathered by Proofpoint and Walmart present that NimzaLoader is also becoming employed to obtain and execute Cobalt Strike as its secondary payload, suggesting that threat actors integrate various ways into their campaigns.
“It is […] unclear if Nimzaloader is just a blip on the radar for TA800 — and the broader threat landscape — or if Nimzaloader will be adopted by other danger actors in the very same way BazaLaoder has received vast adoption,” the researchers concluded.