New Phishing Campaign Deploys Nim-Based Malware via Microsoft Word Documents
A recently uncovered phishing campaign is exploiting Microsoft Word documents as bait to deliver backdoor malware written in the Nim programming language. This development poses significant challenges for cybersecurity experts, as malware created in less common languages can hinder research and reverse engineering efforts, according to Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara.
Malware written in Nim has been rare within the threat landscape, but a gradual increase in its use is evident. Attackers have been both developing their own tools with Nim and porting existing malware to this language, with examples such as NimzaLoader, Nimbda, and IceXLoader displaying this trend. Additionally, notable ransomware families like Dark Power and Kanti have also emerged, marking an evolution in the sophistication of cybercriminals.
The attack sequence begins with a phishing email purportedly from a Nepali government official, containing a Word document attachment. Upon opening the document, victims are prompted to enable macros to activate the deployment of the Nim malware. Once executed, the malware seeks to identify any active security tools on the infected machine. If such tools are found, the implant is programmed to terminate itself to avoid detection.
Should the malware evade detection, it establishes connections to a remote server that mimics legitimate government domains from Nepal, including the National Information Technology Center (NITC), to await further commands. Interestingly, the command-and-control servers used in this campaign are currently no longer accessible, suggesting swift action by authorities.
Nim features a statically typed, compiled structure, allowing for cross-compilation to target multiple platforms with a single variant of the malware. This capability enhances the malware’s effectiveness, as attackers can seamlessly adapt their strategies. As this campaign unfolds, it exemplifies a broader trend where threat actors are employing diverse and evolving tactics to deliver malicious payloads.
Furthermore, Cyble has reported on a separate social engineering campaign that leverages messages on social media platforms to distribute a Python-based stealer malware called Editbot Stealer. This malware is designed to harvest sensitive data through a Telegram channel controlled by cybercriminals, highlighting the dynamic nature of threats in the current digital landscape.
In recent months, cyber actors have also been observed distributing established malware strains such as DarkGate and NetSupport RAT via phishing emails and compromised websites promising fake updates. For instance, Proofpoint has identified numerous campaigns circulating DarkGate malware since September 2023, with a shift to NetSupport RAT in November.
A notable instance occurred in early October when two traffic delivery systems were utilized to funnel victims to a domain hosting payloads that exploited CVE-2023-36025, a Microsoft vulnerability. This exploitation underscores a proactive approach from attackers, as they weaponized a zero-day vulnerability before it was publicly disclosed, amplifying their threat capabilities.
DarkGate serves primarily to steal sensitive information and download additional payloads, while NetSupport RAT has been adapted for more nefarious uses, engaged in unauthorized system access. The evolving landscape of cyber threats indicates a growing creativity among adversaries who are combining different attack vectors, such as social engineering and exploiting system vulnerabilities.
Businesses should remain vigilant, recognizing that the tactics employed in these attacks align with MITRE ATT&CK categories, such as initial access, persistence, and privilege escalation. Awareness and proactive security measures are essential in defending against such multifaceted threats that increasingly blur the lines between traditional and emerging forms of cybercrime.
