Security News > 2021 > March > Nim-Based Malware Loader Spreads Via Spear-Phishing Emails
The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails.
The malware loader is unique in that it is written in the Nim programming language.
The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group.
Because of this, researchers say malware developers may be using Nim to avoid detection by defense teams who may not be familiar with the language.
Exe and inject a shellcode into a process as a thread. While the NimzaLoader C2 servers were down at the time of research, researchers said a public malware sandbox appeared to show the malware receiving a PowerShell command that ultimately delivered a Cobalt Strike beacon.
According to Proofpoint researchers, TA800's previous campaigns have often included malicious emails with recipients' names, titles and employers, along with phishing pages designed to look like the targeted company.
News URL
https://threatpost.com/nim-based-malware-loader-spreads-via-spear-phishing-emails/164643/
Related news
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Midnight Blizzard Escalates Spear-Phishing Attacks On Over 100 Organizations (source)
- Beware of phishing emails delivering backdoored Linux VMs! (source)
- New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns (source)
- Phishing emails increasingly use SVG attachments to evade detection (source)
- Ongoing Phishing and Malware Campaigns in December 2024 (source)
- European companies hit with effective DocuSign-themed phishing emails (source)