In a recent cyber threat development, a phishing campaign has emerged, employing decoy Microsoft Word documents to deliver a backdoor malware coded in the Nim programming language. Researchers at Netskope highlighted the unique challenge posed by malware written in less common programming languages, which hampers investigations due to the security community’s unfamiliarity. Nim-based malware has been a rarity but is gaining traction, as observed in recent attacks, including loaders like NimzaLoader and ransomware families such as Dark Power and Kanti.
The attack documented by Netskope begins with phishing emails containing Word document attachments, with the recipient urged to enable macros, leading to the activation of the Nim malware. The phishing emails impersonate a Nepali government official, demonstrating an added layer of social engineering sophistication. Once activated, the Nim-based backdoor enumerates running processes on the infected host, identifying and terminating known analysis tools. In the absence of such tools, the backdoor establishes connections with remote servers mimicking government domains from Nepal, such as the National Information Technology Center (NITC).
These servers act as command-and-control points for the malware, awaiting further instructions. Notably, Nim’s features, including its familiar syntax and cross-compilation capabilities, enable attackers to write a single malware variant that can be cross-compiled to target various platforms. This discovery comes amid a broader trend where cyber threat actors are leveraging less common programming languages to evade detection and enhance the sophistication of their attacks. The deployment of Nim-based malware demonstrates the evolving tactics used by threat actors to exploit vulnerabilities and underscores the importance of continuous research and adaptation by the cybersecurity community. As these novel techniques become more prevalent, defenders must remain vigilant and update their strategies to effectively counter emerging cyber threats.
Reference
