Brother
Professional
- Messages
- 2,590
- Reaction score
- 534
- Points
- 113
Language properties allow you to integrate into the system and feel at home.
The new phishing campaign uses decoy documents in Word format to deliver malware written in the Nim programming language. Netskope emphasizes that malware written in non-standard languages creates difficulties for information security specialists due to a lack of experience in handling them.
In recent years, there has been an increase in interest in Nim among attackers who either create new tools from scratch in this language, or migrate existing versions of their malware. Examples include loaders such as NimzaLoader, Nimbda, IceXLoader, and the Dark Power and Kanti ransomware families.
The detected attack begins with a phishing email containing an attachment in the form of a Word document, which carries a backdoor called "conhost.exe". The malware is written in Nim and was probably compiled on September 20, 2023. When opened, the document suggests enabling macros to activate malware. The sender of the email is disguised as an official representative of the Nepalese government.
Malicious document suggests enabling macros
Once launched, the malware scans active processes to detect the presence of analysis tools on the infected host and immediately shuts down if it detects them. Otherwise, it communicates with a remote server masquerading as a Nepalese government domain, including the domain of the National Information Technology Center (NITC), and waits for further instructions.
It is noteworthy that the backdoor works with the same privileges as the current user who is logged in. If the malware remains undetected, cybercriminals gain remote access to the device.
The researchers noted that Nim is a statically typed (statically typed) compiled programming language. In addition to its familiar syntax, its cross-compilation features allow attackers to write a single version of malware for different platforms.
The new phishing campaign uses decoy documents in Word format to deliver malware written in the Nim programming language. Netskope emphasizes that malware written in non-standard languages creates difficulties for information security specialists due to a lack of experience in handling them.
In recent years, there has been an increase in interest in Nim among attackers who either create new tools from scratch in this language, or migrate existing versions of their malware. Examples include loaders such as NimzaLoader, Nimbda, IceXLoader, and the Dark Power and Kanti ransomware families.
The detected attack begins with a phishing email containing an attachment in the form of a Word document, which carries a backdoor called "conhost.exe". The malware is written in Nim and was probably compiled on September 20, 2023. When opened, the document suggests enabling macros to activate malware. The sender of the email is disguised as an official representative of the Nepalese government.
Malicious document suggests enabling macros
Once launched, the malware scans active processes to detect the presence of analysis tools on the infected host and immediately shuts down if it detects them. Otherwise, it communicates with a remote server masquerading as a Nepalese government domain, including the domain of the National Information Technology Center (NITC), and waits for further instructions.
It is noteworthy that the backdoor works with the same privileges as the current user who is logged in. If the malware remains undetected, cybercriminals gain remote access to the device.
The researchers noted that Nim is a statically typed (statically typed) compiled programming language. In addition to its familiar syntax, its cross-compilation features allow attackers to write a single version of malware for different platforms.
