I am not writing about Nim, the mathematical game of strategy, but I am concerned about another “Nim” and you do not want to lose this game. Cybersecurity researchers have unwrapped an "interesting email campaign" undertaken by a threat actor that has taken to distributing a new malware written in Nim programming language. Recently named "NimzaLoader" by Proofpoint researchers, the development marks one of the rare instances of Nim malware discovered in the threat landscape. "Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim's implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it," the researchers said.
Proofpoint is tracking the operators of the campaign under the moniker "TA800," who, they say, started distributing NimzaLoader beginning 3 February 2021. Prior to the latest raft of activity, the TA800 threat group is known to have predominantly used BazaLoader since April 2020. While APT28 has been previously linked to delivering Zebrocy malware using Nim-based loaders, the appearance of NimzaLoader is another sign that malicious actors are constantly retooling their malware arsenal to avoid detection. Proofpoint's findings have also been independently corroborated by researchers from Walmart's threat intelligence team, who named the malware "Nimar Loader."
Researchers cited several major differences between NimzaLoader and BazaLoader: For instance, the two samples use different code-flattening obfuscators, different styles of string decryption and different XOR/rotate-based Windows API hashing algorithms, they said. Other tactics that set NimzaLoader apart include the fact that the malware doesn’t use a domain-generation algorithm and that it makes use of JSON in its command-and-control (C2) communications.
Similar to the case of BazaLoader, the campaign spotted in early February 2021 made use of personalized email phishing lures containing a link to a supposed PDF document that redirected the recipient to a NimzaLoader executable hosted on Slack, which used a fake Adobe icon as part of its social engineering tricks. The email Spear-Phising campaign messages appear to come from a co-worker, saying he is “late” driving into the office and asking the email recipient to check over a presentation. The message sends a URL link (which is shortened) that is supposed to be a link to a PDF preview. If the email recipient clicks on the link, they are redirected to a landing page hosted on email marketing service GetResponse. That page links to the “PDF” and tells the victim to “save to preview.” This link in turn actually takes the victim to the NimzaLoader executable.
Once opened, the malware is designed to provide the attackers with access to the victim's Windows systems, alongside capabilities to execute arbitrary commands retrieved from a command-and-control server including executing PowerShell commands, injecting shellcode into running processes, and even deploy additional malware.
Additional evidence gathered by Proofpoint and Walmart show that NimzaLoader is also being used to download and execute Cobalt Strike as its secondary payload, suggesting that the threat actor is integrating different tactics into its campaigns. "It is [...] unclear if Nimzaloader is just a blip on the radar for TA800 and the wider threat landscape or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption," the researchers concluded.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com.
Weekly Cyber Intelligence Briefings: