Nim-Based Malware Alert: Decoy Word Docs Unleashes Threats

Wajahat Raja

January 10, 2024 - TuxCare expert team

In the ever-evolving landscape of cyber threats, a recent phishing campaign has surfaced. This Nim-based malware employs decoy Microsoft Word documents to deliver a backdoor embedded with Nim programming language. This strategic move puts the security community at a disadvantage, as the use of uncommon programming languages complicates the investigation process for researchers and reverse engineers.

Nim-Based Malware On The Rise

Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara shed light on the increasing prevalence of this Decoy Word document malware. While Nim has historically been a rarity in the threat landscape, the tide is turning as attackers either develop custom tools from scratch or port existing malicious programs to this language.

Recent instances include the emergence of loaders like NimzaLoader, Nimbda, IceXLoader, and ransomware families like Dark Power and Kanti. This shift reflects a growing trend among cyber adversaries to diversify their techniques, making detection and analysis more challenging for cybersecurity professionals.

Nim Language In Cyber Attacks

The phishing campaign identified by Netskope initiates with a seemingly innocent Word document attached to a phishing email. Upon opening the document, the recipient is prompted to enable macros, triggering the deployment of the Nim-based malware. Notably, the email sender adopts a disguise, posing as a Nepali government official to enhance the illusion of legitimacy.

Once activated, the malware takes on the role of enumerating running processes on the infected host. Its primary objective is to identify the presence of known analysis tools and promptly terminate itself if any are detected. Subsequently, the backdoor establishes connections with a remote server mimicking a Nepali government domain, including the National Information Technology Center (NITC), awaiting further instructions.

The command-and-control (C2) servers associated with this campaign are as follows:

mail[.]mofa[.]govnp[.]org
nitc[.]govnp[.]org
mx1[.]nepal[.]govnp[.]org
dns[.]govnp[.]org

Nim Malware Delivery Methods

The researchers emphasize the techniques used by Nim malware, describing it as a statically typed compiled programming language. Beyond its familiar syntax, Nim’s cross-compilation features empower attackers to write a single malware variant, which can then be cross-compiled to target different platforms. This flexibility contributes to the effectiveness of these malicious document attacks, enabling threat actors to maximize their reach.

Evolving Cyber Threat Landscape

This revelation comes amidst a broader spectrum of cyber threats, as evidenced by a social engineering campaign disclosed by Cyble. In this campaign, social media platforms serve as vehicles for delivering a new Python-based stealer malware named Editbot Stealer. This malware is designed to harvest and exfiltrate valuable data through an actor-controlled Telegram channel.

While threat actors experiment with novel malware strains, traditional phishing campaigns persist. Notably, known malware such as DarkGate and NetSupport RAT is distributed via email and compromised websites using fake update lures, a tactic known as RogueRaticate. Proofpoint, an enterprise security firm, identified at least 20 campaigns utilizing DarkGate malware between September and November 2023 before transitioning to NetSupport RAT in the subsequent month.

Advanced Tactics in Phishing Campaigns

Proofpoint reveals the adoption of advanced tactics in phishing campaigns, with threat actors leveraging DarkGate and NetSupport RAT. In one noteworthy sequence in October 2023, the attackers employed two traffic delivery systems (TDSs), namely 404 TDS and Keitaro TDS, to filter and redirect victims to an actor-operated domain. The domain hosted a payload that exploited CVE-2023-36025 (CVSS score: 8.8). This high-severity Windows SmartScreen security bypass was addressed by Microsoft in November 2023.

Remarkably, BattleRoyal, the group behind DarkGate, weaponized this vulnerability as a zero-day a month before it was publicly disclosed by Microsoft. DarkGate focuses on stealing information and downloading additional malware payloads, while NetSupport RAT, initially a remote administration tool, has evolved into a potent weapon for malevolent actors seeking unfettered remote control. Therefore, implementing vigilant measures is essential for protecting against document-based malware.

Diversification of Cyber Threats

The landscape of cybersecurity threats 2024 continues to evolve, with threat actors adopting new, varied, and increasingly creative attack chains. Proofpoint emphasizes the use of various TDS tools in tandem with email and fake update lures, showcasing the multifaceted nature of advanced evasion techniques employed to persuade users to install the final payload.

DarkGate’s utilization extends beyond BattleRoyal, as other threat actors, including TA571 and TA577. This is then leveraged to disseminate a range of malware such as AsyncRAT, NetSupport RAT, IcedID, PikaBot, and QakBot (aka Qbot). Staying informed about cyber threat landscape updates is crucial for maintaining robust cybersecurity measures.

Conclusion

In conclusion, the cybersecurity landscape is witnessing a dynamic interplay of tactics, with Nim-based malware emerging as a new player in the realm of cyber threats. As threat actors diversify and refine their strategies, organizations must stay vigilant and implement cybersecurity best practices to safeguard against evolving risks.

The sources for this piece include articles in The Hacker News and CyberM.

Summary