Microsoft Word Documents Used as Lures to Distribute Nim-Based Malware

Home/Compromised, Exploitation, malicious cyber actors, Malicious extension, Malware, Microsoft, Security Advisory, Security Update/Microsoft Word Documents Used as Lures to Distribute Nim-Based Malware

Microsoft Word Documents Used as Lures to Distribute Nim-Based Malware

A recently identified phishing campaign is using decoy Microsoft Word documents as a lure to deploy a backdoor written in the Nim programming language.

Nim-Based Malware

“Malware in uncommon programming languages hampers investigations for security experts, given their unfamiliarity,” noted Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara.

Nim-based malware has traditionally been uncommon in the threat landscape, but this trend is gradually shifting. Attackers are increasingly either creating custom tools from scratch using the language or porting existing versions of their malicious programs to Nim.

This has been exemplified in instances involving loaders like NimzaLoader, Nimbda, IceXLoader, and ransomware families identified as Dark Power and Kanti.

The attack chain outlined by Netskope initiates with a phishing email carrying a Word document attachment. Upon opening the document, the recipient is prompted to enable macros, triggering the deployment of the Nim malware. The email sender masquerades as a Nepali government official.

Upon activation, the implant is tasked with scanning running processes to identify the presence of recognized analysis tools on the infected host. It promptly terminates itself if such tools are detected.

Alternatively, the backdoor establishes connections with a remote server mimicking a government domain from Nepal, such as the National Information Technology Center (NITC), and awaits additional instructions. Unfortunately, the command-and-control (C2) servers are no longer accessible.

  • mail[.]mofa[.]govnp[.]org
  • nitc[.]govnp[.]org
  • mx1[.]nepal[.]govnp[.]org
  • dns[.]govnp[.]org

“Nim is a statically typed compiled programming language,” explained the researchers. “In addition to its familiar syntax, its cross-compilation features enable attackers to craft a single malware variant and have it cross-compiled to target various platforms.”

The revelation coincides with Cyble exposing a social engineering campaign that utilizes messages on social media platforms to distribute a newly identified Python-based stealer malware known as Editbot Stealer. This malware is crafted to gather and exfiltrate valuable data through a Telegram channel controlled by the threat actor.

While threat actors explore new malware strains, phishing campaigns continue to distribute established ones like DarkGate and NetSupport RAT through email and compromised websites using fake update lures (known as RogueRaticate), notably associated with the BattleRoyal cluster.

Proofpoint, an enterprise security firm, noted over 20 campaigns utilizing DarkGate malware from September to November 2023, transitioning to NetSupport RAT more recently.

DarkGate is crafted to pilfer information and download supplementary malware payloads. On the other hand, NetSupport RAT, initially developed as a legitimate remote administration tool, has evolved into a formidable weapon used by malicious actors to infiltrate systems and gain unrestricted remote control.

“Cybercriminal threat actors are employing new, diverse, and increasingly creative attack chains, including the use of various TDS tools, to facilitate malware delivery,” stated Proofpoint.






‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!