Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

December 22, 2023 at 08:00AM

A recent phishing campaign employs decoy Microsoft Word documents to distribute Nim-based malware. The backdoor lures victims to enable macros, then establishes a connection with a remote server disguised as a Nepali government entity. This comes amidst increased distribution of various malware strains and social engineering campaigns leveraging new tactics.

From the meeting notes on Dec 22, 2023, the following key points can be extracted:

1. There is a new phishing campaign utilizing decoy Microsoft Word documents to deliver a backdoor written in the Nim programming language. This new tactic poses a challenge to security researchers and reverse engineers due to their unfamiliarity with uncommon programming languages.

2. The attackers have been using NimzaLoader, Nimbda, IceXLoader, Dark Power, Kanti, and other ransomware families to execute their attacks.

3. The attack chain begins with a phishing email containing a Word document attachment, leading to the deployment of Nim-based malware. The email sender impersonates a Nepali government official, showcasing the use of social engineering in the attack.

4. The Nim-based backdoor malware establishes connections with remote servers mimicking government domains from Nepal, awaiting further instructions and capable of terminating itself if known analysis tools are detected.

5. The malware is cross-compiled to target different platforms, leveraging Nim’s statically typed compiled programming language and cross-compilation features.

6. In addition to Nim-based malware, a new Python-based stealer malware called Editbot Stealer has been identified in a social engineering campaign leveraging messages on social media platforms.

7. Phishing campaigns are also distributing known malware such as DarkGate and NetSupport RAT via email and compromised websites with fake update lures.

8. Threat actors have been observed using various traffic delivery systems (TDS) in attack chains to filter and redirect victims to actor-controlled domains. They have exploited high-severity Windows SmartScreen security bypass vulnerability as a zero-day before it was publicly revealed by Microsoft.

9. DarkGate and NetSupport RAT have been weaponized by threat actors to steal information, download additional malware payloads, and establish remote control over infiltrated systems.

10. Various threat actors, including TA571 and TA577, have utilized DarkGate and distributed a variety of malware, such as AsyncRAT, PikaBot, and QakBot.

These takeaways highlight the evolving landscape of social engineering, phishing campaigns, and malware distribution tactics being employed by threat actors. It also emphasizes the need for enhanced cybersecurity measures to address the growing threats.

Full Article