NimzaLoader Malware Developed Using a Rare Programming

The research team from Proofpoint observed an interesting email campaign by a threat actor and tracked it as ‘TA800’. The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails.

This actor has predominantly used BazaLoader since April of 2020, but on February 3rd, 2021 they distributed a new malware called NimzaLoader.

NimzaLoader Malware

One of NimzaLoader’s unique features is that it is written in the Nim programming language. Malware written in Nim is rare in the threat landscape.

Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it.

The analysis says, it may just be another variant of BazaLoader, of which there are many variants. But researchers declare that this malware is not a BazaLoader variant.

Major Differences Between NimzaLoader and the BazaLoader Variants

  • Written in a completely different programming language
  • Doesn’t use the same code flattening obfuscator
  • Doesn’t use the same style of string decryption
  • Doesn’t use the same XOR/rotate based Windows API hashing algorithm
  • Doesn’t use the same RC4 using dates as the key command and control (C&C) response decryption
  • Doesn’t use a domain generation algorithm (DGA)
  • Makes use of JSON in C&C communications

Campaign Analysis

Proofpoint observed a TA800 campaign distributing NimzaLoader. This campaign utilized personalized details in its lure, including, the recipient’s name and/or the company’s name.

The messages contained links, which in some cases were shortened links, purporting to be a link to a PDF preview, but instead linked to GetResponse (an email marketing service) landing pages. The landing pages contained links to the “PDF” which was the NimzaLoader executable hosted on Slack and used a fake Adobe icon in an attempt to fool the user. 

TA800 message linking to the GetResponse Landing Page
TA800 GetResponse Landing page linking to the download of NimzaLoader

NimzaLoader is a new initial access malware being distributed and used by the TA800 threat actor. In 2020, researchers observed the shift from TA800 distributing the Trick, with irregular shifts to Buer Loader, and consistent distribution of Bazaloader since April 2020.

It is unclear if Nimzaloader is just a blip on the radar for TA800, and the wider threat landscape or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption. TA800 continues to integrate different tactics into their campaigns, with the latest campaigns delivering Cobalt strike directly.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

LEAVE A REPLY

Please enter your comment!
Please enter your name here