A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language. Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation. Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scratch using the language or port existing versions of their nefarious programs to it.
Nim is a statically-typed, high-level programming language. It combines the performance of low-level languages like C and C++ with the expressiveness of high-level languages like Python, Lisp, and Haskell. Nim was created by Andreas Rumpf in 2008 and was initially named “Nimrod” before being renamed in 2014. Nim is a statically typed compiled systems programming language. It generates native dependency-free executables, not dependent on a virtual machine, which are small and allow easy redistribution.[1]
This has been demonstrated in the case of loaders such as NimzaLoader, Nimbda, IceXLoader, as well as ransomware families tracked under the names Dark Power and Kanti. The attack chain documented by investigators begins with a phishing email containing a Word document attachment that, when opened, urges the recipient to enable macros to activate the deployment of the Nim malware. The email sender disguises themselves as a Nepali government official.
Once launched, the implant is responsible for enumerating running processes to determine the existence of known analysis tools on the infected host and promptly terminate itself should it find one. Otherwise, the backdoor establishes connections with a remote server that mimics a government domain from Nepal, including the National Information Technology Center (NITC) and awaits further instructions. The command-and-control (C2) servers are no longer accessible:
- mail[.]mofa[.]govnp[.]org
- nitc[.]govnp[.]org
- mx1[.]nepal[.]govnp[.]org
- dns[.]govnp[.]org
Nim is a statically typed compiled programming language," the researchers said. "Aside from its familiar syntax, its cross-compilation features allow attackers to write one malware variant and have it cross-compiled to target different platforms." The disclosure comes as Cyble revealed a social engineering campaign that leverages messages on social media platforms to deliver a new Python-based stealer malware called Editbot Stealer that's designed to harvest and exfiltrate valuable data via an actor-controlled Telegram channel.
Even as threat actors are experimenting with new malware strains, phishing campaigns have also been observed distributing known malware such as DarkGate and NetSupport RAT via email and compromised websites with fake update lures (aka RogueRaticate), particularly those from a cluster dubbed BattleRoyal.
One attack sequence identified in early October 2023 particularly stands out for chaining two traffic delivery systems (TDSs) 404 TDS and Keitaro TDS to filter and redirect victims meeting their criteria to an actor-operated domain hosting a payload that exploited CVE-2023-36025 (CVSS score: 8.8), a high-severity Windows SmartScreen security bypass that was addressed by Microsoft in November 2023.
This implies BattleRoyal weaponized this vulnerability as a zero-day a month before it was publicly revealed by the tech giant.
DarkGate is designed to steal information and download additional malware payloads, while NetSupport RAT, which started off as a bona fide remote administration tool, has metamorphosed into a potent weapon wielded by malevolent actors to infiltrate systems and establish unfettered remote control. Cybercriminal threat actors are adopting new, varied, and increasingly creative attack chains including the use of various TDS tools to enable malware delivery. Additionally, the use of both email and fake update lures shows the actor using multiple types of social engineering techniques in an attempt to get users to install the final payload.
DarkGate has also been put to use by other threat actors like TA571 and TA577, both of which are known to disseminate a variety of malware, including AsyncRAT, NetSupport RAT, IcedID, PikaBot, and QakBot (aka Qbot). TA577 for example, one of the most prominent Qbot distributors, returned to email threat data in September to deliver DarkGate malware and has since been observed delivering PikaBot in campaigns that typically have tens of thousands of messages.
See: https://redskyalliance.org/xindustry/07734-qbot-the-calculator-episode
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2023/12/decoy-microsoft-word-documents-used-to.html
Comments