A recently identified phishing campaign is using decoy Microsoft Word documents as a lure to deploy a backdoor written in the Nim programming language.
Nim-Based Malware
“Malware in uncommon programming languages hampers investigations for security experts, given their unfamiliarity,” noted Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara.
Nim-based malware has traditionally been uncommon in the threat landscape, but this trend is gradually shifting. Attackers are increasingly either creating custom tools from scratch using the language or porting existing versions of their malicious programs to Nim.
This has been exemplified in instances involving loaders like NimzaLoader, Nimbda, IceXLoader, and ransomware families identified as Dark Power and Kanti.
The attack chain outlined by Netskope initiates with a phishing email carrying a Word document attachment. Upon opening the document, the recipient is prompted to enable macros, triggering the deployment of the Nim malware. The email sender masquerades as a Nepali government official.
Upon activation, the implant is tasked with scanning running processes to identify the presence of recognized analysis tools on the infected host. It promptly terminates itself if such tools are detected.
Alternatively, the backdoor establishes connections with a remote server mimicking a government domain from Nepal, such as the National Information Technology Center (NITC), and awaits additional instructions. Unfortunately, the command-and-control (C2) servers are no longer accessible.
- mail[.]mofa[.]govnp[.]org
- nitc[.]govnp[.]org
- mx1[.]nepal[.]govnp[.]org
- dns[.]govnp[.]org
“Nim is a statically typed compiled programming language,” explained the researchers. “In addition to its familiar syntax, its cross-compilation features enable attackers to craft a single malware variant and have it cross-compiled to target various platforms.”
The revelation coincides with Cyble exposing a social engineering campaign that utilizes messages on social media platforms to distribute a newly identified Python-based stealer malware known as Editbot Stealer. This malware is crafted to gather and exfiltrate valuable data through a Telegram channel controlled by the threat actor.
While threat actors explore new malware strains, phishing campaigns continue to distribute established ones like DarkGate and NetSupport RAT through email and compromised websites using fake update lures (known as RogueRaticate), notably associated with the BattleRoyal cluster.
Proofpoint, an enterprise security firm, noted over 20 campaigns utilizing DarkGate malware from September to November 2023, transitioning to NetSupport RAT more recently.
DarkGate is crafted to pilfer information and download supplementary malware payloads. On the other hand, NetSupport RAT, initially developed as a legitimate remote administration tool, has evolved into a formidable weapon used by malicious actors to infiltrate systems and gain unrestricted remote control.
“Cybercriminal threat actors are employing new, diverse, and increasingly creative attack chains, including the use of various TDS tools, to facilitate malware delivery,” stated Proofpoint.
IOCs
MD5
e2a3edc708016316477228de885f0c39
777fcc34fef4a16b2276e420c5fb3a73
EF834A7C726294CE8B0416826E659BAA
32C5141B0704609B9404EFF6C18B47BF
SHA-1
3aa803baf5027c57ec65eb9b47daad595ba80bac
5D2E2336BB8F268606C9C8961BED03270150CF65
4CAE7160386782C02A3B68E7A9BA78CC5FFB0236
0599969CA8B35BB258797AEE45FBD9013E57C133
SHA-256
b5c001cbcd72b919e9b05e3281cc4e4914fee0748b3d81954772975630233a6e
696f57d0987b2edefcadecd0eca524cca3be9ce64a54994be13eab7bc71b1a83
88FA16EC5420883A9C9E4F952634494D95F06F426E0A600A8114F69A6127347F
1246356D78D47CE73E22CC253C47F739C4F766FF1E7B473D5E658BA1F0FDD662
Network
mail[.]mofa[.]govnp[.]org
nitc[.]govnp[.]org
mx1[.]nepal[.]govnp[.]org
dns[.]govnp[.]org
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment