Recently the security researchers have not only discovered a new phishing campaign but also a new malware that has been utilized by the operators of the phishing campaign. The new malware has been named Nimzaloader as it has been written in the Nim programming language to evade detection. The campaign has been attributed to the TA800 threat actor, who previously propagated the BazaLoader malware.
According to experts, the operators have used a rare programming language like Nim in order to avoid reverse engineers from getting acquainted with the implementation.This, in turn, implies that sandboxes and tools will struggle with analyzing samples of the malware. Nimzaloader is not a variant from Bazaloader not only because of the programming language, the Code flattening obfuscator, string decryption style, and domain generation algorithms don’t coincide between the two malware.
The phishing campaign utilizing Nimzaloader is exploiting the personal details of users in its phishing mails. The email contained links that redirect users to phishing pages to compromise sensitive information. The phishing lures used include hard to resist subjects, such as termination, bonuses, and more. Although evidence suggests that the malware has been used to deploy Cobalt Strike as its secondary payload. However, as of now, it cannot be stated if that’s the primary purpose.