NimzaLoader uses obscure Nim language to avoid legacy detections

Researchers at Proofpoint recently described an obscure malware named NimzaLoader and Walmart’s internal security team recently described similar malware named Nimar Loader

 

Proofpoint describes the use of NimzaLoader as an initial backdoor, installed onto victim’s systems via a highly targeted spear phishing campaign by a group they refer to as TA800, who were previously linked to Bazaloader.

What Is It?

The concept of security by obscurity is an interesting one. It was once used somewhat derisively, or as an in-joke, by experienced security professionals to describe the security posture of a product or service which uses secrecy rather than other types of controls to secure itself. However, in the increasingly commoditized and profit driven world of cyber-attacks, it can be become a truism. If a product, operating system or platform attracts only a fraction of market share, then from an attacker’s point of view it may not make sense, from a return on time and effort basis to attack that entity.

From a defender’s point of view, security by obscurity is essentially no security at all and fraught with risk, it is obviously no substitute for actual security measures. However, from an attacker’s position, security by obscurity can sometimes be used to their advantage, especially if their goal is to evade detection by legacy signature-based detection tools. These tools require signatures be created and distributed to provide detection of threats, so if a new threat is sufficiently different to existing threats, it will not be detected.

The malware is written in the relatively new and obscure programming language, Nim. Only two other malware variants written in Nim have previously been observed, both from the Russian APT group Zebrocy, also known as APT28, one in April 2019 and one September 2020. In addition to evading signature detections, using an obscure language will also make automated detection by sandboxes and even by human analysts less likely. It also makes reverse engineering of a sample slower and potentially more difficult. 

The attack chain begins with phishing emails that use information such as the user’s name, organization’s name, or both in the body of the email in an attempt to make it appear more credible. The emails contain links which purport to be a downloadable PDF, but actually result in download and execution of the NimzaLoader malware.

Once installed, NimzaLoader contacts it’s C2 (command and control) site to receive instructions, it’s primary function is to download and execute further malware. It appears NimzaLoader may have been used to execute a Powershell command resulting in a Cobalt Strike beacon being installed. At this time, NimzaLoader’s C2 sites are no longer up, and a hardcoded expiration date has passed, indicating the attackers may still be developing this malware and this campaign was a limited scope test.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial attack vector is the use of spear phishing emails.

When/How Did BluVector Detect It?

The NimzaLoader sample related to this campaign is publicly available and BluVector’s patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected 35 months prior to its release.

All Threat Reports