NimzaLoader Malware Description
A new initial-stage malware loader named NimzaLoader has been observed as part of an ongoing attack campaign. The threatening operation is believed to be carried out by the TA800 threat actor and it has so far targeted a hundred organizations spread across multiple industry sectors. The malware threat is distributed through highly-customized phishing emails aimed at individual employees of the chosen entity.
The bait emails include personal details about the victims such as their names and company and pretend to be written by a coworker who wants some help in reviewing a supposed PDF file containing a work presentation. The email then provides a link that redirects to a landing page hosted on GetResponse, an email marketing platform. On the page, victims a presented with another link to download the fake PDF that is the NimzaLoader executable.
Initial research pointed towards NimzaLoader being a variant of a previous loader malware used by the TA800 group, but a more thorough analysis revealed that this is not the case. NimzaLoader is a distinct malware strain that exhibits several major differences when compared to BazaLoader. The two threats use different obfuscation techniques, different methods for string decryption, and separate hashing algorithms. Other characteristics of NimzaLoader include the use of JSON as part of the communications with the Command-and-Control (C2, C&C) servers and that it doesn't have a domain-generation algorithm.
Once deployed on the target's computer, NimzaLoader can be instructed to execute powershell.exe and inject shellcode into processes. Infosec researchers have not been able to determine the payloads delivered to the infected devices but certain evidence points towards that being the powerful Cobalt Strike malware. The malware also comes with an expiration date in the form of a built-in timestamp, after which NimzaLoader will not run.
NimzaLoader Malware reinforces the trend among cybercriminals to look for obscure and less popular programming languages for their threatening creations. NimzaLoader is written in the Nim programming language, which was also used for the development of a loader tool by the Zebrocy threat actor recently. Doing so has its benefits for the attackers, as it makes detection of the threats harder, while also increasing the difficulty of any attempts by the cybersecurity community to reverse-engineer them.