NimzaLoader malware is written in NIM, hard to detect

Why is malware NimzaLoader is harder to detect?

NimzaLoader malware is unusual because it’s written in a programming language rarely used by cyber criminals – which could make it harder to detect and defend against. A prolific cyber criminal hacking operation is distributing this new malware which is written in a programming language rarely used to compile malicious code.

Dubbed NimzaLoader by cybersecurity researchers at Proofpoint, the malware is written in Nim – and it’s thought that those behind the malware have decided to develop it this way in the hopes that choosing an unexpected programming language will make it more difficult to detect and analyse.

NimzaLoader malware is designed to provide cyber attackers with access to Windows computers, and with the ability to execute commands – something which could give those controlling the malware the ability to control the machine, steal sensitive information, or potentially deploy additional malware.

The malware is thought to be the work of a cyber criminal hacking group which Proofpoint refers to as TA800, a hacking operation which targets a wide range of industries across North America.

The group is usually associated with BazarLoader, a form of trojan malware which creates a full backdoor onto compromised Windows machines and is known to be used to deliver ransomware attacks.

 

Like BazarLoader, NimzaLoader is distributed using phishing emails which link potential victims to a fake PDF downloader which, if run, will download the malware onto the machine. At least some of the phishing emails are tailored towards specific targets with customised references involving personal details like the recipient’s name and the company they work for.

The template of the messages and the way the attack attempts to deliver the payload is consistent with previous TA800 phishing campaigns, leading researchers to the conclusion that NimzaLoader is also the work of what was already a prolific hacking operation, which has now added another means of attack.

“TA800 has often leveraged different and unique malware, and developers may choose to use a rare programming language like Nim to avoid detection, as reverse engineers may not be familiar with Nim’s implementation or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyse samples of it,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint tols ZDNet.

Like BazarLoader before it, there’s the potential that NimzaLoader could be adopted as a tool that’s leased out to cyber criminals as a means of distributing their own malware attacks.

With phishing the key means of distributing NimzaLoader, it’s therefore recommended that organisations ensure that their network is secured with tools which help prevent malicious emails from arriving in inboxes in the first place.

It’s also recommended that organisations train staff on how to spot phishing emails, particularly when campaigns like this one attempt to exploit personal details as a means of encouraging victims to let their guard down.

Similar Posts by The Author: