Security News > 2021 > March > Nim-Based Malware Loader Spreads Via Spear-Phishing Emails
The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails.
The malware loader is unique in that it is written in the Nim programming language.
The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group.
Because of this, researchers say malware developers may be using Nim to avoid detection by defense teams who may not be familiar with the language.
Exe and inject a shellcode into a process as a thread. While the NimzaLoader C2 servers were down at the time of research, researchers said a public malware sandbox appeared to show the malware receiving a PowerShell command that ultimately delivered a Cobalt Strike beacon.
According to Proofpoint researchers, TA800's previous campaigns have often included malicious emails with recipients' names, titles and employers, along with phishing pages designed to look like the targeted company.
News URL
https://threatpost.com/nim-based-malware-loader-spreads-via-spear-phishing-emails/164643/
Related news
- Russian Star Blizzard Targets WhatsApp Accounts in New Spear-Phishing Campaign (source)
- Phishing Emails Targeting Australian Firms Rise by 30% in 2024 (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Beware: PayPal "New Address" feature abused to send phishing emails (source)