Nim-Based Malware Delivered via Phishing Campaign Using Decoy Microsoft Word Documents

December 22, 2023

A new phishing campaign is exploiting the unfamiliarity of the security community with the Nim programming language to deliver a backdoor. Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara highlighted the challenge posed by malware written in less common languages.

The campaign involves a phishing email with a Word document attachment that encourages the recipient to enable macros, which in turn activates the Nim malware. The sender impersonates a Nepali government official.

Once the malware is activated, it scans for known analysis tools on the infected host. If it detects any, it terminates itself. If not, it establishes connections with a remote server that mimics a government domain from Nepal.

The article also discusses a social engineering campaign uncovered by Cyble that uses messages on social media platforms to deliver a Python-based stealer malware, Editbot Stealer. This malware is designed to harvest and exfiltrate valuable data via a Telegram channel controlled by the actor.

The article goes on to mention known malwares like DarkGate and NetSupport RAT being distributed through phishing campaigns. DarkGate is designed to steal information and download additional malware payloads, while NetSupport RAT, originally a legitimate remote administration tool, has evolved into a powerful tool for malicious actors to infiltrate systems and establish remote control.

The article also mentions an attack sequence identified in early October 2023 that chained two traffic delivery systems (TDSs) – 404 TDS and Keitaro TDS – to filter and redirect victims to an actor-operated domain hosting a payload that exploited CVE-2023-36025, a high-severity Windows SmartScreen security bypass that was patched by Microsoft in November 2023. This suggests that the BattleRoyal cluster weaponized this vulnerability as a zero-day a month before it was publicly revealed.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.