Cybersecurity researchers have unwrapped an “attention-grabbing e mail marketing campaign” undertaken by a risk actor that has taken to distributing a brand new malware written in Nim programming language.
Dubbed “NimzaLoader” by Proofpoint researchers, the event marks one of many uncommon cases of Nim malware found within the risk panorama.
“Malware builders might select to make use of a uncommon programming language to keep away from detection, as reverse engineers might not be conversant in Nim’s implementation, or centered on growing detection for it, and due to this fact instruments and sandboxes might battle to research samples of it,” the researchers mentioned.
Proofpoint is monitoring the operators of the marketing campaign below the moniker “TA800,” who, they are saying, began distributing NimzaLoader beginning February 3, 2021. Previous to the newest raft of exercise, TA800 is thought to have predominantly used BazaLoader since April 2020.
Whereas APT28 has been beforehand linked to delivering Zebrocy malware utilizing Nim-based loaders, the looks of NimzaLoader is yet one more signal that malicious actors are continually retooling their malware arsenal to keep away from detection.
Proofpoint’s findings have additionally been independently corroborated by researchers from Walmart’s risk intelligence workforce, who named the malware “Nimar Loader.”
Like with the case of BazaLoader, the marketing campaign noticed on February 3 made use of customized e mail phishing lures containing a hyperlink to a supposed PDF doc that redirected the recipient to a NimzaLoader executable hosted on Slack, which used a pretend Adobe icon as a part of its social engineering methods.
As soon as opened, the malware is designed to supply the attackers with entry to the sufferer’s Home windows programs, alongside capabilities to execute arbitrary instructions retrieved from a command-and-control server — together with executing PowerShell instructions, injecting shellcode into working processes, and even deploy extra malware.
Extra proof gathered by Proofpoint and Walmart present that NimzaLoader can be getting used to obtain and execute Cobalt Strike as its secondary payload, suggesting that risk actors combine totally different techniques into their campaigns.
“It’s […] unclear if Nimzaloader is only a blip on the radar for TA800 — and the broader risk panorama — or if Nimzaloader will probably be adopted by different risk actors in the identical method BazaLaoder has gained broad adoption,” the researchers concluded.