A new phishing campaign has emerged. That’s not all. This campaign utilizes a new malware written in a rare language. Why? We will know soon enough.

What’s going on?

Dubbed NimzaLoader, this malware has been written in the Nim programming language to evade detection. The campaign has been attributed to the TA800 threat actor, who previously propagated the BazaLoader malware. 

Why Nim?

Researchers state that the utilization of a rare programming language somewhat implies that reverse engineers may not be acquainted with the implementation. This, in turn, implies that sandboxes and tools will struggle with analyzing samples of the malware.

Is it similar to BazaLoader?

Let’s note down the differences between the two:
  • The programming language is entirely different.
  • Code flattening obfuscator, string decryption style, and domain generation algorithms don’t coincide between the two malware.

Hence, NimzaLoader is not considered to be a variant of BazaLoader.

About the campaign

  • TA800 started disseminating NimzaLoader on February 3 and has been distributed once, to date.
  • The campaign is exploiting the personal details of users in its phishing mails. The email contained links that redirect users to phishing pages to compromise sensitive information.
  • The phishing lures used include hard to resist subjects, such as termination, bonuses, and more.
  • Although evidence suggests that the malware has been used to deploy Cobalt Strike as its secondary payload. However, as of now, it cannot be stated if that’s the primary purpose.

The bottom line

The shift to Nim is yet another instance of threat actors continually evolving their attack tactics. TA800 has been tied to several attacks against a wide range of sectors and is showing no signs of slowing down.

Cyware Publisher