Nim-Based Malware Loader Spreads Via Spear-Phishing Emails

2021-03-10 16:40

The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails.

The malware loader is unique in that it is written in the Nim programming language.

The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group.

Because of this, researchers say malware developers may be using Nim to avoid detection by defense teams who may not be familiar with the language.

Exe and inject a shellcode into a process as a thread. While the NimzaLoader C2 servers were down at the time of research, researchers said a public malware sandbox appeared to show the malware receiving a PowerShell command that ultimately delivered a Cobalt Strike beacon.

According to Proofpoint researchers, TA800's previous campaigns have often included malicious emails with recipients' names, titles and employers, along with phishing pages designed to look like the targeted company.

News URL

https://threatpost.com/nim-based-malware-loader-spreads-via-spear-phishing-emails/164643/

#email #malware #phishing #spearphishing

News URL

Related news