Risk of Malware: Fictitious Word Documents Used to Disseminate Nim Threat
A new threat lurks behind seemingly innocent Word documents. A group of hackers astutely utilized this common software, used daily by millions of users, to spread malware through a sophisticated phishing campaign.
The threat is posed by a backdoor written in the Nim programming language, uncommon but effective in its obscurity for security investigators. Netskope experts, Ghanashyam Satpathy and Jan Michael Alcantara, highlighted how using lesser-known programming languages poses a challenge for the cybersecurity community due to the lack of familiarity hindering investigations.
Nim-based malware, a rarity in the threat landscape, has recently been identified across various campaigns. Attackers are becoming bolder, engaging in developing custom tools using this programming language or converting existing versions of their malicious programs into this format.
Instances include NimzaLoader, Nimbda, IceXLoader, and ransomware families like Dark Power and Kanti, showcasing how this language has been used for malevolent purposes.
The attack chain identified by Netskope starts with a phishing email containing a Word document attachment. Once opened, the document prompts the recipient to enable macros to initiate Nim malware. The email sender disguises as a Nepali government official to enhance message credibility.
Upon activation, the malware begins running processes to identify analysis tools on the infected computer. If one is found, it promptly terminates itself.
Otherwise, the backdoor establishes a connection with a remote server mimicking a Nepalese government domain, including the National Information Technology Center (NITC), awaiting further instructions. Unfortunately, the command-and-control (C2) servers are no longer accessible:
mail[.]mofa[.]govnp[.]org nitc[.]govnp[.]org mx1[.]nepal[.]govnp[.]org dns[.]govnp[.]org According to experts, Nim’s unique statically compiled programming language allows attackers to create a single malware variant and distribute it across different platforms, broadening the attack scope.
This revelation accompanies Cyble’s discovery of a social engineering campaign leveraging social media messages to distribute a new Python-based data-stealing malware called Editbot Stealer. This malware is designed to pilfer and transfer valuable data through a Telegram channel controlled by the attackers.
Although threat actors experiment with new malware strains, observed phishing campaigns distribute known malware like DarkGate and NetSupport RAT through emails and compromised sites, using fake update requests (aka RogueRaticate).
Supporting this, enterprise security firm Proofpoint identified multiple campaigns employing DarkGate between September and November 2023, before transitioning to NetSupport RAT earlier this month.
A noteworthy attack sequence was identified in early October 2023. Utilizing two traffic delivery systems (TDS) – 404 TDS and Keitaro TDS – to filter and redirect victims exploiting a high-severity Windows SmartScreen security bypass (CVE-2023-36025), addressed by Microsoft in November 2023.
This highlights how the attacker weaponized this vulnerability as a zero-day a month before it was publicly disclosed by the tech giant.
DarkGate aims to steal information and download further malware, while NetSupport RAT, initially a legitimate remote administration tool, has evolved into a powerful weapon used by malicious actors to infiltrate systems and establish unrestricted remote control.
Proofpoint experts emphasized how threat actors are utilizing increasingly creative attack chains, including various TDS tools, to facilitate malware distribution. Moreover, using both email and fake update requests showcases the actor’s use of multiple social engineering techniques to persuade users to install the final payload.
DarkGate has also been used by other threat actors like TA571 and TA577, known for disseminating various malware, including AsyncRAT, NetSupport, IcedID, PikaBot, and QakBot (aka Qbot).
Selena Larson, senior threat intelligence analyst at Proofpoint, confirmed that TA577, one of the most active Qbot distributors, used DarkGate to deliver malware via email in September and has since been observed distributing PikaBot in campaigns involving tens of thousands of messages, demonstrating the widespread impact of such attacks.
This emerging trend underscores the need for constant vigilance and advanced defense strategies to safeguard networks against increasingly sophisticated and widespread cyber threats.