Decoy Microsoft Word documents used to deliver Nim-based malware

Nim-Based Malware

A new phishing campaign uses fake Microsoft Word documents as bait to create a backdoor written in the Nim programming language.

“Malware written in unusual programming languages ​​puts the security community at a disadvantage because the obscurity of researchers and reverse engineers can hinder their research,” said Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara said.

Nim-based malware is a rarity in the threat landscape, although that has slowly changed in recent years as attackers either continue to develop custom tools from scratch using the language or port existing versions of their nefarious programs to it.

This has been shown in the case of loaders such as NimzaLoader, Nimbda, IceXLoader, as well as ransomware families tracked under the names Dark Power and And.

The attack chain documented by Netskope begins with a phishing email containing a Word document attachment that, when opened, prompts the recipient to enable macros to trigger the deployment of the Nim malware. The sender of the email disguises himself as a Nepalese government official.

Once launched, the implant is responsible for enumerating running processes to determine the existence of known analysis tools on the infected host and immediately terminating itself if it finds one.

Otherwise, the backdoor establishes connections to a remote server that mimics a government domain from Nepal, including the National Information Technology Center (NITC), and waits for further instructions. The command-and-control (C2) servers are no longer accessible –

  • mail[.]mold[.]government[.]org
  • no[.]government[.]org
  • mx1[.]Nepal[.]government[.]org
  • dns[.]government[.]org

“Nim is a statically typed, compiled programming language,” the researchers said. “Aside from the familiar syntax, the cross-compilation features allow attackers to write one malware variant and have it cross-compile to target different platforms.”

The reveal comes as Cyble revealed a social engineering campaign that uses posts on social media platforms to deliver a new Python-based stealer malware called Editbot Stealer, which is designed to collect and exfiltrate valuable data through an actor-controlled Telegram channel.

Nim-based malware

As threat actors experiment with new types of malware, phishing campaigns have also been observed spreading well-known malware such as DarkGate and NetSupport RAT via email and compromised websites with fake updates (also known as RogueRaticate), especially those from a cluster called BattleRoyal .

Enterprise security firm Proofpoint said it identified at least 20 campaigns using DarkGate malware between September and November 2023, before switching to NetSupport RAT earlier this month.

One attack sequence identified in early October 2023 is particularly notable for linking two traffic delivery systems (TDSs) – 404 TDS and Keitaro TDS – to filter and redirect victims who match their criteria to an actor-controlled domain that hosts a payload that exploits CVE-2023-36025 (CVSS score: 8.8), a high-severity Windows SmartScreen security bypass that was addressed by Microsoft in November 2023.

This implies that BattleRoyal weaponized this vulnerability as a zero-day per month before it was publicly disclosed by the tech giant.

DarkGate is designed to steal information and download additional malware, while NetSupport RAT, which started as a bona fide remote management tool, has turned into a powerful weapon wielded by malicious actors to infiltrate systems and establish unfettered remote control. to take.

“Cybercriminal threat actors [are] adopting new, varied and increasingly creative attack chains – including the use of various TDS tools – to enable malware delivery,” Proofpoint said.

“Additionally, the use of both email and fake updates shows that the actor is using multiple types of social engineering techniques in an attempt to trick users into installing the latest payload.”

DarkGate has also been used by other threat actors such as TA571 and TA577, both of which are known to spread a variety of malware including AsyncRAT, NetSupport, IcedID, PikaBot, and QakBot (also known as Qbot).

“For example, TA577, one of the most prominent Qbot distributors, turned to email threat data to deliver DarkGate malware in September and has since been observed delivering PikaBot in campaigns typically containing tens of thousands of messages,” said Selena Larson, senior threat intelligence analyst at Proofpoint, told The Hacker News.

#Decoy #Microsoft #Word #documents #deliver #Nimbased #malware

Notify of
Inline Feedbacks
View all comments
Previous Post
WinRAR Vulnerability

UAC-0099 Using WinRAR exploit to target Ukrainian companies with LONEPAGE malware

Next Post
Rust-Based Malware

Rust-based malware targets Indian government agencies

Related Posts