Nim-Based Malware Loader Spreads Via Spear-Phishing Emails

[mood]

Nim-Based Malware Loader Spreads Via Spear-Phishing Emails

 

 

Spear-phishing emails are spreading the NimzaLoader malware loader, which some say may be used to download Cobalt Strike.

 

The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails.

 

While previous Twitter analysis identified this loader as a mere variant of TA800’s existing BazaLoader malware, new research cites evidence that NimzaLoader is a disparate strain — with its own separate string-decryption methods and hashing algorithm techniques.

 

The malware loader is unique in that it is written in the Nim programming language. The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group. Because of this, researchers say malware developers may be using Nim to avoid detection by defense teams who may not be familiar with the language.

“Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it,” said Dennis Schwarz and Matthew Mesa, researchers with Proofpoint on Wednesday, in a report shared with Threatpost before publication.

 

NimzaLoader is used as “initial-access malware” and was first discovered being distributed by the TA800 threat actor in February, said researchers. TA800 is an affiliate distributor of TrickBot and BazaLoader (also known as the BazarBackdoor, BazarCall, etc.).

 

It is unclear what NimzaLoader’s primary purpose is at this time – however, some evidence suggests the loader is being used to download and execute the Cobalt Strike commodity malware as its secondary payload, researchers said.

BazaLoader Versus NimzaLoader

Some initial analysis of NimzaLoader by various researchers on Twitter has indicated that it may be a variant of BazaLoader, another loader used by TA800 that has the primary function of downloading and executing additional modules. But, researchers with Proofpoint pointed to evidence that they say shows NimzaLoader is not merely a BazaLoader variant: “Based on our observations of significant differences, we are tracking this as a distinct malware family,” they said.

 

They cited several major differences between NimzaLoader and BazaLoader: For instance, the two samples use different code-flattening obfuscators, different styles of string decryption and different XOR/rotate-based Windows API hashing algorithms, they said. Other tactics that set NimzaLoader apart include the fact that the malware doesn’t use a domain-generation algorithm and that it makes use of JSON in its command-and-control (C2) communications.

The Email Spear-Phishing Campaign

A sample spear-phishing email. Click to enlarge. Credit: Proofpoint.

 

Researchers first observed the NimzaLoader campaign on Feb. 3, in the form of emails with “personalized details” for victims – including their names and company names.

 

The messages purport to come from a coworker, saying he is “late” driving into the office and asking the email recipient to check over a presentation. The message sends a URL link (which is shortened) that purports to be a link to a PDF preview.

 

If the email recipient clicks on the link, they are redirected to a landing page hosted on email marketing service GetResponse. That page links to the “PDF” and tells the victim to “save to preview.” This link in turn actually takes the victim to the NimzaLoader executable.

NimzaLoader Malware Executable 

Upon closer inspection, researchers found that NimzaLoader is developed using Nim (as evidenced by various “nim” related strings in the executable). The malware uses mostly encrypted strings, using an XOR-based algorithm and a single key per string. One encrypted string contains a timestamp and is used to set an expiration date for the malware. For instance, in one analyzed sample the expiration date was set to Feb. 10 at 1:20:55.003 p.m. – meaning the malware would not run after that date and time.

 

Most of the other strings contain command names. These commands include the ability to execute powershell.exe and inject a shellcode into a process as a thread. While the NimzaLoader C2 servers were down at the time of research, researchers said a public malware sandbox appeared to show the malware receiving a PowerShell command that ultimately delivered a Cobalt Strike beacon.

“We are unable to validate or confirm this finding, but it does align with past TA800 tactics, techniques and procedures (TTPs),” they said.

TA800 Threat Group: The Future of NimzaLoader

Researchers linked NimzaLoader back to TA800, a threat group that has targeted a wide range of industries in North America, infecting victims with banking trojans and malware loaders.

 

According to Proofpoint researchers, TA800’s previous campaigns have often included malicious emails with recipients’ names, titles and employers, along with phishing pages designed to look like the targeted company. Researchers noted that the malware shows TA800 continuing to integrate different tactics into their campaigns.

“It is… unclear if Nimzaloader is just a blip on the radar for TA800—and the wider threat landscape—or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption,” said researchers.

 

 

Source: Nim-Based Malware Loader Spreads Via Spear-Phishing Emails

[aum]

Researchers Spotted Malware Written in Nim Programming Language

 

 

Cybersecurity researchers have unwrapped an "interesting email campaign" undertaken by a threat actor that has taken to distributing a new malware written in Nim programming language.

 

Dubbed "NimzaLoader" by Proofpoint researchers, the development marks one of the rare instances of Nim malware discovered in the threat landscape.

 

"Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim's implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it," the researchers said.

 

Proofpoint is tracking the operators of the campaign under the moniker "TA800," who, they say, started distributing NimzaLoader starting February 3, 2021. Prior to the latest raft of activity, TA800 is known to have predominantly used BazaLoader since April 2020.

 

While APT28 has been previously linked to delivering Zebrocy malware using Nim-based loaders, the appearance of NimzaLoader is yet another sign that malicious actors are constantly retooling their malware arsenal to avoid detection.

 

Proofpoint's findings have also been independently corroborated by researchers from Walmart's threat intelligence team, who named the malware "Nimar Loader."

 

Like with the case of BazaLoader, the campaign spotted on February 3 made use of personalized email phishing lures containing a link to a supposed PDF document that redirected the recipient to a NimzaLoader executable hosted on Slack, which used a fake Adobe icon as part of its social engineering tricks.

 

Once opened, the malware is designed to provide the attackers with access to the victim's Windows systems, alongside capabilities to execute arbitrary commands retrieved from a command-and-control server — including executing PowerShell commands, injecting shellcode into running processes, and even deploy additional malware.

 

Additional evidence gathered by Proofpoint and Walmart show that NimzaLoader is also being used to download and execute Cobalt Strike as its secondary payload, suggesting that threat actors integrate different tactics into their campaigns.

 

"It is [...] unclear if Nimzaloader is just a blip on the radar for TA800 — and the wider threat landscape — or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption," the researchers concluded.

 

Source