Cybersecurity researchers have unwrapped an”interesting email campaign” undertaken by means of a hazard celebrity that’s taken to distributing a new malware composed in Nim programming language. Once opened, the malware is intended to supply the attackers using the sufferer Windows systems, together with capacities to perform arbitrary commands recovered from a command-and-control server such as implementing PowerShell controls, injecting shellcode into operating processes, and also deploy extra malware.
Proofpoint’s findings also have been independently corroborated by investigators from Walmart’s hazard intelligence group, who called the malware”Nimar Loader.” Dubbed”NimzaLoader” by Proofpoint investigators, the evolution marks one of those rare cases of Nim malware found in the threat landscape. Further evidence accumulated from Proofpoint and Walmart reveals that NimzaLoader is also used to obtain and implement Cobalt Strike because of its secondary payload, indicating that hazard actors incorporate various strategies in their campaigns. Before the most recent raft of action, TA800 is famous to possess a largely utilized BazaLoader because of April 2020.
While APT28 was previously connected to delivering Zebrocy malware utilizing Nim-based loaders, the visual appeal of NimzaLoader is still another indication that malicious actors are constantly retooling their anti-virus arsenal to prevent detection. “It’s uncertain if Nimzaloader is only a blip on the radar to TA800 — and also the broader threat landscape even when Nimzaloader is going to be embraced by other danger celebrities in precisely the identical manner BazaLaoder has gained broad adoption,” the investigators concluded. “Malware programmers might opt to utilize a programming language to prevent detection, as inverse engineers might not be knowledgeable about Nim’s execution, or concentrated on creating detection for this, and so tools and sandboxes might struggle to examine samples of it” the investigators stated.