Phishing has been a rising trend in recent times since the dawn of the pandemic. Continuing with the trend a new phishing campaign has been discovered that utilizes a new malware that’s written in a rare language.
Written in the Nim programming language to avoid detection, this new malware is called the NimzaLoader. This campaign has been credited to the TA800 threat actor, who has also been credited with the previously propagated BazaLoader Malware.
Researchers have stated that the use of a rare programming language that reverse engineers might not be quite as acquainted with its implementation.
Is NimzaLoader similar to BazaLoader?
Below is the difference that has been observed between the two –
- The language of programming is entirely different
- The domain generation algorithm, string decryption algorithm, and the code flattening obfuscator don’t coincide between the two.
Hence, it can be deduced that NimzaLoader is not a variant of the BazaLoader malware.
The campaign –
- The dissemination of NimzaLoader started on the 3rd of February by the TA800 threat actors and has been distributed once, to date.
- The personal details of users are being exploited by this campaign in its phishing mails. The phishing emails contain malicious links that redirect the users to phishing pages to compromise sensitive information.
- The campaign uses hard to resist subjects for phishing lures like termination, bonuses, and more.
- Shreds of evidence have suggested that the malware has been used to deploy cobalt strike as its secondary payload. However, at this moment it cannot be confirmed if it is the primary purpose of the malware.
The shift in the programming language used is yet another example of the evolving tactics of threat actors. TA800 has been tied to several attacks against a wide range of sectors and is showing no signs of slowing down.
To read more, please check eScan Blog
