Nim Programming Language is a compiled systems programming language, a combination of languages such as Python, Ada, and Modula. Recent developments suggest cybercriminals are carrying out email campaigns to distribute new malware written in Nim programming language.
Security experts at Proofpoint have detected rare instances of Nim malware dubbed as “NimzaLoader“. The reason the hackers choose such a rare programming language can be to avoid detection. Also may have thought it would not be easy to reverse engineer, as engineers may not be familiar with Nim’s implementation. Making it difficult for researchers to analyze samples using tools and sandboxes.
Hackers have earlier delivered Zebrocy malware, built using Nim-based loaders. The recent development with NimzaLoader suggests they hackers are constantly updating their tools to fine-tune malware to avoid detection.
Earlier on February 3 hackers carried out BazaLoader campaign, an email phishing attack where the files that appeared to be PDF documents were redirected to a NimzaLoader executable hosted on Slack. The file used a fake Adobe icon as part of its social engineering tricks.
The malware is designed in such a way that it gives access to the victim’s Windows system. It also assigns users the right to execute arbitrary commands retrieved from a command-and-control server. This includes the right to execute PowerShell commands, injecting shellcode into running processes, and even deploy additional malware.
Proofpoint and Walmarts further evidence suggest NimzaLoader is also being used to download and execute Cobalt Strike as its secondary payload. This means the threat actors integrate different tactics into their campaigns.
The researchers further added, “It is […] unclear if Nimzaloader is just a blip on the radar for TA800 — and the wider threat landscape — or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption.”
If you find the article interesting, don’t forget to leave your thoughts in the comments section below.