Spear-phishing emails are spreading the Nimza Loader malware loader, which some say may be used to download Cobalt Strike.
The TA800 threat group is distributing a malware loader, which researchers call Nimza Loader, via ongoing, & highly targeted spear-phishing emails.
Although previous Twitter analysis identified this loader as a variant of TA800’s existing Baza Loader malware, new research cites evidence that Nimza Loader is a separate strain — with its own separate string-decryption methods & hashing algorithm techniques.
Nim Programming Language
The malware loader is unique in that it is written in the Nim programming language. The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group.
Because of this, researchers say malware developers may be using Nim to avoid detection by defence teams who may not be familiar with the language.
“Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or focused on developing detection for it, & therefore tools & sandboxes may struggle to analyse samples of it,” commented Dennis Schwarz & Matthew Mesa, researchers with Proofpoint on Wed., in a report.
TA800 Threat Player
Nimza Loader is used as “initial-access malware” & was 1st discovered being distributed by the TA800 threat player in Feb., stated researchers. TA800 is an affiliate distributor of Trick Bot & Baza Loader (also known as the Bazar Backdoor, Bazar Call, etc.).
It is not certain what Nimza Loader’s main purpose is at this time – however, some evidence suggests the loader is being used to download & execute the Cobalt Strike commodity malware as its secondary payload, researchers observed.
Baza Loader V. Nimza Loader
Some initial analysis of Nimza Loader by various researchers on Twitter has indicated that it may be a variant of Baza Loader, another loader used by TA800 that has the primary function of downloading & executing additional modules.
However, researchers with Proofpoint referred to evidence that they say shows Nimza Loader is not merely a Baza Loader variant: “Based on our observations of significant differences, we are tracking this as a distinct malware family,” they commented.
They referenced several major differences between Nimza Loader & Baza Loader: e.g., the 2 samples use different code-flattening obfuscators, different styles of string decryption & different XOR/rotate-based Windows API hashing algorithms, they said.
Other tactics that set Nimza Loader apart include the fact that the malware does not use a domain-generation algorithm & that it makes use of JSON in its command-&-control (C2) communications.
Researchers first observed the Nimza Loader campaign on Feb. 3, in the form of emails with “personalised details” for victims – including their names & company names.
The messages purport to come from a co-worker, saying he is “late” driving into the office & asking the email recipient to check over a presentation. The message sends a URL link (which is shortened) that purports to be a link to a PDF preview.
If the email recipient clicks on the link, they are redirected to a landing page hosted on email marketing service Get Response. That page links to the “PDF” & tells the victim to “save to preview.” This link in turn actually takes the victim to the Nimza Loader executable.
Upon closer inspection, researchers found that Nimza Loader is developed using Nim (as evidenced by various “nim” related strings in the executable). The malware uses mostly encrypted strings, using an XOR-based algorithm & a single key per string.
One encrypted string contains a timestamp & is used to set an expiration date for the malware. For instance, in 1 analysed sample the expiration date was set to Feb. 10 at 1:20:55.003 pm – meaning the malware would not run after that date & time.
Most of the other strings contain command names. These commands include the ability to execute powershell.exe & inject a shellcode into a process as a thread.
While the Nimza Loader C2 servers were down at the time of research, researchers said a public malware sandbox appeared to show the malware receiving a PowerShell command that ultimately delivered a Cobalt Strike beacon.
“We are unable to validate or confirm this finding, but it does align with past TA800 tactics, techniques & procedures (TTPs),” they observed.
Researchers linked Nimza Loader back to TA800, a threat group that has targeted a wide range of industries in N. America, infecting victims with banking trojans & malware loaders.
According to Proofpoint researchers, TA800’s previous campaigns have often included malicious emails with recipients’ names, titles & employers, along with phishing pages designed to look like the targeted company. Researchers noted that the malware shows TA800 continuing to integrate different tactics into their campaigns.
“It is… unclear if Nimza Loader is just a blip on the radar for TA800 & the wider threat landscape—or if Nimza Loader will be adopted by other threat actors in the same way Baza Loader has gained wide adoption,” concluded the researchers.