Cybersecurity researchers have unwrapped an “interesting email campaign” conducted by a threat actor that has taken to distributing new malicious software written in the Nim programming language.
Called the “NimzaLoader” by Proofpoint researchers, the development marks one of the rare instances of Nim malware found in the threat landscape.
“Malware software developers may choose to use a sparse programming language to avoid detection, as inversion engineers may not be familiar with, or focused on, developing Nim’s operation, and so tools and sandboxes may find it samples of it are difficult to analyze, “the researchers said. He said.
Proofpoint tracks campaign operators under the moniker “TA800,” which began distributing NimzaLoader, they say, beginning Feb. 3, 2021. Before the latest mass of activity, TA800 was known to have used BazaLoader primarily since April 2020.
Although APT28 was previously linked to the provision of Zebrocy malware Loaders based on nim, the appearance of NimzaLoader is yet another sign that malicious actors are constantly retooling their malicious software arsenal to avoid detection.
Proofpoint’s findings have also been independently confirmed by investigators from Walmart’s threat intelligence team, which dubbed the malicious software “Nimar Loader.”
As with the BazaLoader case, the campaign viewed Feb. 3 used personalized phishing snapshots that include a link to a presumed PDF document that redirected the recipient to a NimzaLoader executable hosted on Slack. The executable also used a fake Adobe icon as part of his social engineering tricks to trick the user into downloading the malicious software.
Once opened, the malware is designed to give attackers access to the victim’s Windows systems, alongside capabilities to execute arbitrary commands recovered from a command and control server – including executing PowerShell commands, inject shell code into running processes, and even use extra hardware.
Additional evidence collected by Proofpoint and Walmart shows that NimzaLoader is also used to download and implement the Cobalt Strike as its secondary payload, suggesting that the threat actor integrates various tactics into his campaigns.
“It is […] unclear whether Nimzaloader is just a blip on the radar for TA800 – and the broader threat landscape – or whether Nimzaloader will be adopted by other threat actors in the same way that BazaLaoder has been widely adopted, “the researchers concluded.