malware

NimzaLoader – TA800’s New Malware

Researchers have observed a new type of malware called NimzaLoader. One of the differences of is that it is written in Nim programming language. Malware developers use this programming language to avoid analysis and detection.

Researchers associate with TA800, a threat group targeting many industries in North America, using banking Trojan horses and malware loaders to infect victims. The Group has mainly used BazaLoader since April 2020 , but in February 2021, they distributed a new malware called NimzaLoader.

Analysis

Consistent with previous campaigns, this campaign uses personalized detailed information in the bait. TA800 sent malicious emails containing the recipient’s name, job title and employer in previous malicious campaigns. The email contains a link and is included in the body of the message. It claims that the link points to the PDF preview page.

nimzaloader

The PDF is actually a executable file hosted by the and uses fake Adobe icons to deceive users.

nimzaloader

C2 commands in NimzaLoader:

  • cmd – execute cmd.exe command
  •  – execute powershell.exe command
  • handshake – redo handshake
  • shellcode – inject shellcode into a process as a thread
  • command arguments are a JSON object containing:
  • sc – hex-encoded and compressed shellcode
  • prog – program to inject shellcode into
  • heartbeat – used to update expiration date of the malware in memory
  • command arguments are a JSON object containing:
  • heartbeat – new expiration time
  • sig – used in a signature check with an encrypted string

IOCs

centralbancshares.com
gariloy.com
liqui-technik.com


fb580ca1c92c81a9c28207631868f6ec
2c00aaba1bad8a20cf1f154646e50878
1a763319fe69443e010f78a90d5b670bdcde8be5
314c5dd041216b0eb130075961ab660004e39fdf
540c91d46a1aa2bb306f9cc15b93bdab6c4784047d64b95561cf2759368d3d1d
52bbe09c7150ea66269c71bac8d0237fb0e6b0cae4ca63ab19807c310d6a1a0b