Security researchers at Proofpoint have discovered a new initial access granting piece of malware written in a programming language rarely used for compiling malicious code. The language used in Nim and is possibly best described as a language being as “fast as C, as expressive as Python, and as extensible as Lisp.” Use of the language is incredibly rare, with only a few malware variants discovered and only really being posted to Twitter. NimzaLoader may be the first Nim written piece of malware to be analyzed thoroughly with such details being released to the public, at least to the best of the writer’s knowledge. However, when detections of the malware were initially been discovered by researchers it looked as if it was just another campaign of a well-known trojan, BazarLoader. This provided researchers with yet another conundrum to solve in an area of expertise known for dealing with conundrums.
According to the report published by Proofpoint, it is believed that the attackers choose the language to avoid detection and hamper defensive efforts. The malware’s main purpose is to grant initial access to Windows computers and then provide the attackers with the ability to execute commands. This can potentially entail commands that grant the attacker heightened control over the machine, steal information, and potentially drop other more damaging pieces of malware onto the machine. Ransomware such as Ryuk has been distributed in this way on numerous occasions.
NimzaLoader is typically distributed via the use of phishing emails. These emails will typically contain a link to a fake PDF downloader which if run will download the malware. The attackers utilize social engineering to get recipients to click on the link and in some cases, they tailor the email to the potential recipient with customized references involving personal details like the recipient's name and the company they work for. In one example, provided by Proofpoint, the email alleged to be from a colleague who was running late and required the recipient to check a report before a meeting. Even if the recipient knows that there is no meeting, they could still click the link to see what the report is about and if it involves them. The email is allegedly sent from a mobile device to give credence to the story about running late, hopefully placing the potential victim off guard.
As phishing emails are the primary method used to distribute NimzaLoader it is recommended that organizations ensure that their network is secured with tools that help prevent malicious emails, as an anti-spam product would, from arriving in inboxes. If no email arrives and is immediately quarantined or discarded the threat is neutralized. Further, organizations need to train staff on how to spot phishing emails, particularly when campaigns like this one attempt to exploit personal details as a means of encouraging victims to let their guard down.
Proofpoint researchers also managed to determine the attackers behind the campaign. According to Proofpoint, although the malware used is new, the tactics used are in line with a threat group tracked by the security firm as TA800. In Proofpoint’s 2020 Q4 threat report some of the group’s activities were brought to light. According to researchers, the group is a known affiliate of TrickBot and BazarLoader with both malware variants are believed to be created by the same malware authors. This belief stems from Ryuk being spread by both malware variants. Summarizing TA800 tactics and methods, researchers stated,
“TA800 has targeted a wide range of industries in North America, infecting victims with banking Trojans and malware loaders (malware designed to download other malware onto a compromised device). Malicious emails have often included recipients’ names, titles and employers along with phishing pages designed to look like the targeted company. Lures have included hard-to-resist subjects such as related to payment, meetings, termination, bonuses and complaints in the subject line or body of the email.”
During this period, TA800 was responsible for a wave of attacks on the healthcare sector. These attacks were defined by the use of BazarLoader to gain initial access then Ryuk was let loose onto the hospital's network. Hospitals and other healthcare facilities have become enticing targets for malware operations deployed in this method as they cannot afford any downtime due to the life and death scenarios they face daily.
As to Proofpoint's assertion that TA800 is behind the spread of NimzaLoader as the group also primarily uses phishing emails to distribute BazarLoader. Further, the template of the messages and the way the attack attempts to deliver the payload is consistent with previous TA800 phishing campaigns. This led researchers to the conclusion that NimzaLoader is also the work of TA800, giving the threat group another means of attack. Given that it has been seen in the past that the group has used an initial access malware to later distribute Ryuk, victims of NimzaLoader could face a similar fate. Speaking to ZDNet, Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, said,
“TA800 has often leveraged different and unique malware, and developers may choose to use a rare programming language like Nim to avoid detection, as reverse engineers may not be familiar with Nim's implementation or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyse samples of it,”
Before Proofpoint’s analysis was published some Twitter posts discussed that a new variant of BazarLoader was being seen. This was followed by Joshua Platt and Jason Reaves from Walmart providing an excellent analysis of the supposed new variant. They called the variant NimarLoader and concluded that it was mistakenly attributed to BazarLoader, in part due to the similarities in terms of tactics and distribution methods. Both Platt and Reaves determined that the new variant was written in Nim and did not contain the typical hardening methods BazarLoader used to prevent analysis. Further, the campaigns discovered by the researchers made use of Cobalt Strike, a tool used to find and exploit certain vulnerabilities.
The campaign also made use of the same infrastructure used in previous BazarLoader and Ryuk campaigns. This led the researchers to conclude,
“Nimar Loader appears to be partially based on existing code or perhaps the idea originated elsewhere. The actors behind TrickBot have incorporated free utilities and software developed by the CyberSecurity or opensource communities for their own nefarious purposes (MiniLZO, BloodHound, CobaltStrike, PowerSploit, Obfuscator-LLVM, ADVobfuscator…) in the past. While the nim language is not new to the offensive scene, it is quite a departure for the traditional tooling of Trickbot.”
While Platt and Reaves did go some way to link Nimar Loader to TrickBot, it is Proofpoint’s analysis that seems to show that Nimar Loader and NimzaLoader are one and the same and have strong ties to those behind TrickBot. Further, the work of both teams proves that NimzaLoader is not a variant of BazarLoader but a new tool that can be used by TA800 and other affiliates of TrickBot. Proofpoint concluded,
“NimzaLoader is a new initial access malware being distributed and used by the TA800 threat actor. In 2020, we observed the shift from TA800 distributing the Trick, with intermittent shifts to Buer Loader, and a consistent distribution of Bazaloader since April 2020. There has been some research community analysis suggesting that NimzaLoader is just another variant of BazaLoader, but based on our observations of significant differences, we are tracking this as a distinct malware family. There has been some evidence suggesting NimzaLoader is being used to download and execute Cobalt Strike as its secondary payload, but it is unclear whether this is its primary purpose. It is also unclear if Nimzaloader is just a blip on the radar for TA800—and the wider threat landscape—or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption. TA800 continues to integrate different tactics into their campaigns, with the latest campaigns delivering Cobalt strike directly.”