Cybersecurity researchers have unwrapped an "interesting email campaign" undertaken by a threat actor that has taken to distributing a new malware written in Nim programming language.
Dubbed "NimzaLoader" by Proofpoint researchers, the development marks one of the rare instances of Nim malware discovered in the threat landscape.
"Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim's implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it," the researchers said.
Proofpoint is tracking the operators of the campaign under the moniker "TA800," who, they say, started distributing NimzaLoader starting February 3, 2021. Prior to the latest raft of activity, TA800 is known to have predominantly used BazaLoader since April 2020.
While APT28 has been previously linked to delivering Zebrocy malware using Nim-based loaders, the appearance of NimzaLoader is yet another sign that malicious actors are constantly retooling their malware arsenal to avoid detection.
Proofpoint's findings have also been independently corroborated by researchers from Walmart's threat intelligence team, who named the malware "Nimar Loader."
Like with the case of BazaLoader, the campaign spotted on February 3 made use of personalized email phishing lures containing a link to a supposed PDF document that redirected the recipient to a NimzaLoader executable hosted on Slack. The executable also made use of a fake Adobe icon as part of its social engineering tricks to deceive the user into downloading the malware.
Once opened, the malware is designed to provide the attackers with access to the victim's Windows systems, alongside capabilities to execute arbitrary commands retrieved from a command-and-control server — including executing PowerShell commands, injecting shellcode into running processes, and even deploy additional malware.
Additional evidence gathered by Proofpoint and Walmart show that NimzaLoader is also being used to download and execute Cobalt Strike as its secondary payload, suggesting that the threat actor is integrating different tactics into its campaigns.
"It is [...] unclear if Nimzaloader is just a blip on the radar for TA800 — and the wider threat landscape — or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption," the researchers concluded.