Security News > 2021 > March > Nim-Based Malware Loader Spreads Via Spear-Phishing Emails

The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails.
The malware loader is unique in that it is written in the Nim programming language.
The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group.
Because of this, researchers say malware developers may be using Nim to avoid detection by defense teams who may not be familiar with the language.
Exe and inject a shellcode into a process as a thread. While the NimzaLoader C2 servers were down at the time of research, researchers said a public malware sandbox appeared to show the malware receiving a PowerShell command that ultimately delivered a Cobalt Strike beacon.
According to Proofpoint researchers, TA800's previous campaigns have often included malicious emails with recipients' names, titles and employers, along with phishing pages designed to look like the targeted company.
News URL
https://threatpost.com/nim-based-malware-loader-spreads-via-spear-phishing-emails/164643/
Related news
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Beware: PayPal "New Address" feature abused to send phishing emails (source)
- Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails (source)
- Coinbase phishing email tricks users with fake wallet migration (source)
- Why it's time for phishing prevention to move beyond email (source)
- Ukrainian military targeted in new Signal spear-phishing attacks (source)
- New Morphing Meerkat Phishing Kit Mimics 114 Brands Using Victims’ DNS Email Records (source)