Skip to main content

NimzaLoader Malware

NimzaLoader is a loader trojan written in the Nim programming language used by the threat group known as TA800.

Threat ID:
CC-3790
Category:
Loader
Threat Severity:
Medium
Threat Vector:
Spear phishing
Published:
15 March 2021 2:25 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

NimzaLoader is a loader trojan written in the Nim programming language used by the threat group known as TA800.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First discovered in February 2021, NimzaLoader is a Nim-based variant of the older BazarLoader malware. At the time of publication, it is being deployed by the TA800 threat groups, although there is no indication they are working in conjunction with BazarLoader’s creators.

Delivery

NimzaLoader is distributed in spear phishing campaigns containing links, which in some cases were shortened, purporting to be PDF documents. When clicked on, these links direct users to malicious landing pages containing another link to the PDFs. Instead, these links contain NimzaLoader executables disguised as Adobe Acrobat icons.

Activities

NimzaLoader uses encrypted strings that contain command names that are later called by the command and control server. One string sets an expiration on the malware, another could be used later to update that expiration date, while others call for powershell.exe and injections of shellcode into a process as a thread.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

URLs

http://centralbancshares[.]com

http:// gariloy[.]com

http:// liqui-technik[.]com 

Host indicators

SHA256 hashes

  • 540c91d46a1aa2bb306f9cc15b93bdab6c4784047d64b95561cf2759368d3d1d 
  • 52bbe09c7150ea66269c71bac8d0237fb0e6b0cae4ca63ab19807c310d6a1a0b 

Last edited: 18 March 2021 4:42 pm