NimzaLoader Malware Developed Using a Rare Programming Language to Avoid Detection

The research team from Proofpoint observed an interesting email campaign by a threat actor and tracked it as ‘TA800’. The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails.

This actor has predominantly used BazaLoader since April of 2020, but on February 3rd, 2021 they distributed a new malware called NimzaLoader.

NimzaLoader Malware

One of NimzaLoader’s unique features is that it is written in the Nim programming language. Malware written in Nim is rare in the threat landscape.

Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it.

The analysis says, it may just be another variant of BazaLoader, of which there are many variants. But researchers declare that this malware is not a BazaLoader variant.

Major Differences Between NimzaLoader and the BazaLoader Variants

  • Written in a completely different programming language
  • Doesn’t use the same code flattening obfuscator
  • Doesn’t use the same style of string decryption
  • Doesn’t use the same XOR/rotate based Windows API hashing algorithm
  • Doesn’t use the same RC4 using dates as the key command and control (C&C) response decryption
  • Doesn’t use a domain generation algorithm (DGA)
  • Makes use of JSON in C&C communications

Campaign Analysis

Proofpoint observed a TA800 campaign distributing NimzaLoader. This campaign utilized personalized details in its lure, including, the recipient’s name and/or the company’s name.

The messages contained links, which in some cases were shortened links, purporting to be a link to a PDF preview, but instead linked to GetResponse (an email marketing service) landing pages. The landing pages contained links to the “PDF” which was the NimzaLoader executable hosted on Slack and used a fake Adobe icon in an attempt to fool the user. 

TA800 message linking to the GetResponse Landing Page
TA800 GetResponse Landing page linking to the download of NimzaLoader

NimzaLoader is a new initial access malware being distributed and used by the TA800 threat actor. In 2020, researchers observed the shift from TA800 distributing the Trick, with irregular shifts to Buer Loader, and consistent distribution of Bazaloader since April 2020.

It is unclear if Nimzaloader is just a blip on the radar for TA800, and the wider threat landscape or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption. TA800 continues to integrate different tactics into their campaigns, with the latest campaigns delivering Cobalt strike directly.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

5 hours ago

Beware of Free VPNs that Install Malicious Botnets

Virtual Private Networks (VPNs) have become essential tools for internet users. However, the allure of…

9 hours ago

HPE Critical 3PAR Processor Flaw Let Remote Attackers Bypass Authentication

Hewlett Packard Enterprise (HPE) has addressed a critical vulnerability in its 3PAR Service Processor software…

12 hours ago

Chrome Security Update: Patch for Multiple Flaws that Leads to Remote Code Execution

Google has announced the release of Chrome 126, a critical security update that addresses 10…

13 hours ago

CrowdStrike Update Pushing Windows Machines Into a BSOD Loop

A recent update to the CrowdStrike Falcon sensor is causing major issues for Windows users…

14 hours ago

Oracle WebLogic Server Vulnerability Allows Complete Server Take Over

A critical vulnerability identified as CVE-2024-21181 has been discovered in the Oracle WebLogic Server, posing…

15 hours ago