The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails has its own separate string-decryption methods and hashing algorithm techniques.
“Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it,”
TA800 is an affiliate distributor of TrickBot and BazaLoader . The campaign was spotted targeting about 100 organizations across approximately 50 verticals, evidence suggests the loader is being used to download and execute the Cobalt Strike commodity malware as its secondary payload,
The Email Spear-Phishing Campaign
Researchers first observed the NimzaLoader campaigns, in the form of emails with “personalized details” for victims including their names and company names.
The messages purport to come from a coworker, saying he is “late” driving into the office and asking the email recipient to check over a presentation. The message sends a URL link that purports to be a link to a PDF preview.
If the email recipient clicks on the link, they are redirected to a landing page hosted on email marketing service GetResponse. That page links to the “PDF” and tells the victim to “save to preview.” This link in turn actually takes the victim to the NimzaLoader executable.
NimzaLoader Malware Executable
NimzaLoader is developed using Nim . The malware uses mostly encrypted strings, using an XOR-based algorithm and a single key per string. One encrypted string contains a timestamp and is used to set an expiration date for the malware.
Most of the other strings contain command names. These commands include the ability to execute powershell.exe and inject a shellcode into a process as a thread. While the NimzaLoader C2 servers were down at the time of research, researchers said a public malware sandbox appeared to show the malware receiving a PowerShell command that ultimately delivered a Cobalt Strike beacon.
“We are unable to validate or confirm this finding, but it does align with past TA800 tactics, techniques and procedures (TTPs),” they said.
Future of NimzaLoader
Researchers linked NimzaLoader back to TA800, a threat group that has targeted a wide range of industries in North America, infecting victims with banking trojans and malware loaders.
TA800’s previous campaigns have often included malicious emails with recipients’ names, titles and employers, along with phishing pages designed to look like the targeted company. Researchers noted that the malware shows TA800 continuing to integrate different tactics into their campaigns.
Nimzaloader is just a blip on the radar for TA800 and the wider threat landscapeor if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption,” .