Security News > 2021 > March > Nim-Based Malware Loader Spreads Via Spear-Phishing Emails
The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails.
The malware loader is unique in that it is written in the Nim programming language.
The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group.
Because of this, researchers say malware developers may be using Nim to avoid detection by defense teams who may not be familiar with the language.
Exe and inject a shellcode into a process as a thread. While the NimzaLoader C2 servers were down at the time of research, researchers said a public malware sandbox appeared to show the malware receiving a PowerShell command that ultimately delivered a Cobalt Strike beacon.
According to Proofpoint researchers, TA800's previous campaigns have often included malicious emails with recipients' names, titles and employers, along with phishing pages designed to look like the targeted company.
News URL
https://threatpost.com/nim-based-malware-loader-spreads-via-spear-phishing-emails/164643/
Related news
- New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails (source)
- Google raps Iran's APT42 for raining down spear-phishing attacks (source)
- Blind Eagle Hackers Exploit Spear-Phishing to Deploy RATs in Latin America (source)
- Microsoft: Exchange Online mistakenly tags emails as malware (source)
- Chinese national accused by Feds of spear-phishing for NASA, military source code (source)