Security researchers at Netskope have identified a new phishing campaign deploying decoy Microsoft Word documents as a lure to deliver a backdoor written in the Nim programming language. Ghanashyam Satpathy and Jan Michael Alcantara from Netskope note that malware written in less common programming languages poses challenges for the security community, as researchers and reverse engineers may be less familiar with them, hindering effective investigation.

While Nim-based malware has been a rarity, the landscape has been slowly changing as attackers either develop custom tools from scratch using Nim or port existing versions of their malicious programs to this language. Examples include loaders like NimzaLoader, Nimbda, IceXLoader, and ransomware families such as Dark Power and Kanti.

The phishing attack documented by Netskope initiates with an email containing a Word document attachment. Upon opening the document, the recipient is prompted to enable macros, leading to the deployment of the Nim malware. The attacker disguises themselves as a Nepali government official, adding a layer of social engineering to the campaign.

The Nim malware, once activated, conducts a series of actions, including enumerating running processes to identify analysis tools on the infected host. If such tools are found, the malware terminates itself. Otherwise, the backdoor establishes connections with a remote server mimicking a government domain from Nepal, such as the National Information Technology Center (NITC), awaiting further instructions. Notably, the command-and-control (C2) servers provided in the report are no longer accessible.

“Nim is a statically typed compiled programming language,” explain the researchers. “Aside from its familiar syntax, its cross-compilation features allow attackers to write one malware variant and have it cross-compiled to target different platforms.”

In a parallel development, cybersecurity firm Cyble revealed a social engineering campaign using social media messages to distribute a new Python-based stealer malware called Editbot Stealer. This malware is designed to harvest and exfiltrate valuable data through an actor-controlled Telegram channel.

As the threat landscape evolves, phishing campaigns persist in distributing known malware strains, such as DarkGate and NetSupport RAT, via email and compromised websites using fake update lures, also known as RogueRaticate. Proofpoint, an enterprise security firm, identified at least 20 campaigns using DarkGate malware between September and November 2023, transitioning to NetSupport RAT in the subsequent month.

Of particular note is an attack sequence identified in early October 2023, which involved chaining two traffic delivery systems (TDSs) – 404 TDS and Keitaro TDS – to filter and redirect victims meeting specific criteria. The victims were directed to an actor-operated domain hosting a payload that exploited CVE-2023-36025, a high-severity Windows SmartScreen security bypass addressed by Microsoft in November 2023. This implies that the BattleRoyal cluster weaponized this vulnerability as a zero-day a month before its public disclosure by Microsoft.

The malware DarkGate is designed for information theft and downloading additional payloads, while NetSupport RAT, originally a remote administration tool, has transformed into a potent weapon for malicious actors seeking unfettered remote control. Threat actors continue to adopt diverse and creative attack chains, using various TDS tools and employing multiple social engineering techniques to deliver their final payloads, as observed by Proofpoint.

DarkGate has also been utilized by other threat actors, including TA571 and TA577, known for disseminating various malware, such as AsyncRAT, NetSupport, IcedID, PikaBot, and QakBot (aka Qbot), showcasing the adaptability and versatility of these cybercriminals.