New Initial Access Tool ‘NimzaLoader’ Spreads via Phishing Emails
The malware is written in a rarely used programming language which makes it harder to detect.
Proofpoint researchers recently discovered that the “TA800” threat group has shifted from using BazaLoader to a new malware called “NimzaLoader.” This implies that this initial access tool was written in Nim, a general-purpose programming language rarely used by malware authors.
This unusual choice of Nim might be an attempt to help TA800 working without attracting notice and raise the success of its latest campaign.
The newest NimzaLoader campaign appears to have started on February 3rd, 2021 and is currently progressing. The hackers are seeking to manipulate their victims by sending them phishing emails with personalized details like the ones that anybody can easily find on social media accounts.
Attached to these emails there’s a presumably PDF file with an actual Adobe icon and a preview link in the email’s body. Once accessed, it redirects the victim to a NimzaLoader download page.
Additionally, when comparing NimzaLoader to BazaLoader, the researchers have noticed several differences:
- It’s written in Nim;
- It doesn’t use the same code flattening obfuscator;
- It doesn’t use the same style of string decryption;
- It doesn’t use the same XOR/rotate based Windows API hashing algorithm;
- It doesn’t use the same RC4 using dates as the key command and control (C&C) response decryption;
- It doesn’t use a domain generation algorithm (DGA);
- It uses JSON in C&C communications.
Although research community analysis suggested that NimzaLoader is simply another variant of BazaLoader, based on the above-mentioned differences, it is now being tracked as a separate malware family.
Heimdal® Email Security
- Completely secure your infrastructure against email-delivered threats;
- Deep content scanning for malicious attachments and links;
- Block Phishing and man-in-the-email attacks;
- Complete email-based reporting for compliance & auditing requirements;
Additionally, it was suggested that NimzaLoader is being used to download and execute Cobalt Strike as its secondary payload, but it is not clear if this is its main goal. It is also uncertain if NimzaLoader is just a camouflage for TA800, or if it will ultimately be employed by other threat actors just like BazaLaoder. In the meantime, TA800 continues to incorporate multiple tactics into their campaigns, with the most recent ones directly delivering Cobalt Strike.
Since phishing is NimzaLoader’s main way of spreading, it’s important for organizations to implement email fraud prevention procedures and make sure they secure their network with proper tools that help prevent malicious emails.