Security experts uncovered a new kind of phishing campaign in which threat actors are using newly crafted malware written in a rare programming language to evade security detection. Researchers from Proofpoint found a cybercriminal group tracked as “TA800” distributing malware dubbed as “NimzaLoader.” The attackers used reverse engineering techniques to trick users and pilfer their sensitive data online.
Proofpoint researchers stated that the TA800 group previously used BazaLoader malware, but from February 2021, the group has been distributing NimzaLoader malware. One of the distinguishing features of Nimzaloader malware is that it is written in the Nim programming language, which makes it a rare malware in the threat landscape. “Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it,” the researchers said.
What is Nim?
Developed by a German programmer Andreas Rumpf in 2008, Nim is a compiled programming language that draws on concepts from languages like Modula-3, Delphi, Ada, C++, Python, Lisp, and Oberon.
BazaLoader vs NimzaLoader
Earlier, some analysis on the malware suggested that NimzaLoader could be another variant of BazaLoader malware. However, Proofpoint research asserted that this malware is not a BazaLoader variant. The researchers also listed certain differences between NimzaLoader and the BazaLoader variants, which include:
- The malware is written in a completely different programming language
- They don’t use the same code flattening obfuscator
- They don’t use the same style of string decryption
- They don’t use the same XOR/rotate based Windows API hashing algorithm
- They don’t use the same RC4 using dates as the key command and control (C&C) response decryption
- Doesn’t use a domain generation algorithm (DGA)
- Makes use of JSON in C&C communications
NimzaLoader’s Phishing Campaign
Researchers found TA800’s campaign leveraging users’ personal details in its phishing mails, including the recipient’s name and the company’s name. The email contained links, which when clicked redirects the user to phishing pages to compromise users’ sensitive information.
“Based on our observations of significant differences, we are tracking this as a distinct malware family. There has been some evidence suggesting NimzaLoader is being used to download and execute Cobalt Strike as its secondary payload, but it is unclear whether this is its primary purpose. It is also unclear if Nimzaloader is just a blip on the radar for TA800—and the wider threat landscape—or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption. TA800 continues to integrate different tactics into their campaigns, with the latest campaigns delivering Cobalt strike directly,” the researchers added.