NimzaLoader malware is unusual because it’s written in a programming language rarely used by cybercriminals – which could make it harder to detect and defend against.

“Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it,” the researchers said.

Dubbed NimzaLoader by cybersecurity researchers at Proofpoint said the malware is written in Nim Programming Language.

Proofpoint is tracking the operators of the campaign under the moniker “TA800,” who, they say, started distributing NimzaLoader starting February 3, 2021. Before the latest raft of activity, TA800 is known to have predominantly used BazaLoader since April 2020.

NimzaLoader malware is designed to provide cyber attackers with access to Windows computers, and with the ability to execute commands – something that could give those controlling the malware the ability to control the machine, steal sensitive information, or potentially deploy additional malware.

Like BazarLoader, NimzaLoader is distributed using phishing emails that link potential victims to a fake PDF downloader, which, if run, will download the malware onto the machine. At least some of the phishing emails are tailored towards specific targets with customized references involving personal details like the recipient’s name and the company they work for.

Proofpoint’s findings have also been independently corroborated by researchers from Walmart’s threat intelligence team, who named the malware “Nimar Loader.”

Additional evidence gathered by Proofpoint and Walmart shows that NimzaLoader is also being used to download and execute Cobalt Strike as its secondary payload, suggesting that threat actors integrate different tactics into their campaigns.

It’s recommended that organizations train staff on how to spot phishing emails, particularly when campaigns like this one attempt to exploit personal details as a means of encouraging victims to let their guard down.

Priyanshu Vijayvargiya

Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a Reply

Your email address will not be published. Required fields are marked *