The TA800 threat group is spreading the NimzaLoader malware loader in spear-phishing emails. Experts say it may be used to download Cobalt Strike.
New research from Proofpoint provides evidence that NimzaLoader is a more unique strain of malware than experts previously thought. It has its own string-decryption methods and hashing algorithms.
The malware loader is also unique in that it is written in the Nim programming language which is uncommon for malware. Researchers believe malware developers may be using Nim on purpose – to avoid detection by defense teams who may not be familiar with the language.
“Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it,” said researchers Dennis Schwarz and Matthew Mesa of Proofpoint in a report on Wednesday.
NimzaLoader is used as “initial-access malware” by the TA800 threat actor, a distributor of TrickBot and BazaLoader. The TA800 has already targeted about 100 organizations, Proofpoint researchers told Threatpost.
The researchers say there is some evidence suggesting the loader is being used to download and execute the Cobalt Strike malware.
Based on Proofpoint’s observations of significant differences, the security firm thinks NimzaLoader is a distinct malware family and not a variant of BazaLoader.
The major distinctions are in different styles of string decryption and different XOR/rotate-based Windows API hashing algorithms, the researchers explain.
Another feature that sets NimzaLoader apart is that is uses JSON in its command-and-control (C2) communications.
Researchers first observed the NimzaLoader campaign on Feb. 3, in the form of emails with “personalized details” for victims – including their names and company names.
The attack vector includes an email “from a colleague,” and a PDF file that the victim needs to “save to preview.” This link in fact leads to the NimzaLoader executable.
The researchers said a public malware sandbox indicates that the malware receives a PowerShell command that ultimately delivers a Cobalt Strike beacon.
“We are unable to validate or confirm this finding, but it does align with past TA800 tactics, techniques and procedures (TTPs),” they said.
Researchers linked NimzaLoader back to TA800, a threat group that has been infecting victims with banking trojans and malware loaders using the same tactics: emails with recipients’ names, titles, and employers of the targeted company and phishing pages mimicking those the company has.