Decoy Word (MS Word) documents are being used as bait by a new malware infection that provides a backdoor that’s written in the Nim programming language. Researchers at Netskope Ghanashyam Satpathy while Jan Michael Alcantara state, “Malware written in uncommon language syntax puts the security solidarity at a disadvantage as studies and shift engineers’ disorientation can hamper their investigation. said.
Nim-based malware has historically been rare in the threat landscape, but in recent years, attackers have been using the language to either port already-existing versions of their malicious programs to Nim or create entirely new custom tools.
This has been demonstrated in the case of loaders such as NimzaLoader, Nimbda, IceXLoader, as well as ransomware families tracked under the names Dark Power and Kanti.
Nim-based malware has historically been rare in the threat landscape, but in recent years, attackers have been using the language to either port already-existing versions of their malicious programs to Nim or create entirely new custom tools.
After being launched, the implant counts the processes that are currently active in order to identify any known analysis tools on the compromised host and stop itself right away if it does.
If not, the backdoor connects to a distant server that impersonates a Nepali government domain, such as the National Information Technology Center (NITC), and waits for more instructions. There is currently no way to access the command-and-control (C2) servers.
- mail[.]mofa[.]govnp[.]org
- nitc[.]govnp[.]org
- mx1[.]nepal[.]govnp[.]org
- dns[.]govnp[.]org
“Nim is a statically typed compiled programming language,” the researchers said. “Aside from its familiar syntax, its cross-compilation features allow attackers to write one malware variant and have it cross-compiled to target different platforms.”
The disclosure comes as Cyble revealed a social engineering campaign that leverages messages on social media platforms to deliver a new Python-based stealer malware called Editbot Stealer that’s designed to harvest and exfiltrate valuable data via an actor-controlled Telegram channel.
Phishing campaigns have been seen disseminating known malware, such as DarkGate and NetSupport RAT, via email and compromised websites with fake update lures (aka RogueRaticate), especially those from a cluster known as BattleRoyal. This is happening concurrently with threat actors experimenting with new strains of malware.
Before transferring to NetSupport RAT earlier this month, enterprise security company Proofpoint said it discovered at least 20 campaigns that used DarkGate malware between September and November 2023.
One attack sequence identified in early October 2023 particularly stands out for chaining two traffic delivery systems (TDSs) – 404 TDS and Keitaro TDS – to filter and redirect victims meeting their criteria to an actor-operated domain hosting a payload that exploited CVE-2023-36025 (CVSS score: 8.8), a high-severity Windows SmartScreen security bypass that was addressed by Microsoft in November 2023.
This implies BattleRoyal weaponized this vulnerability as a zero-day a month before it was publicly revealed by the tech giant.
DarkGate is designed to steal information and download additional malware payloads, while NetSupport RAT, which started off as a bona fide remote administration tool, has metamorphosed into a potent weapon wielded by malevolent actors to infiltrate systems and establish unfettered remote control.
“Cybercriminal threat actors [are] adopting new, varied, and increasingly creative attack chains – including the use of various TDS tools – to enable malware delivery,” Proofpoint said.
“Additionally, the use of both email and fake update lures shows the actor using multiple types of social engineering techniques in an attempt to get users to install the final payload.”
DarkGate has also been put to use by other threat actors like TA571 and TA577, both of which are known to disseminate a variety of malware, including AsyncRAT, NetSupport RAT, IcedID, PikaBot, and QakBot (aka Qbot).”TA577 for example, one of the most prominent Qbot distributors, returned to email threat data in September to deliver DarkGate malware and has since been observed delivering PikaBot in campaigns that typically have tens of thousands of messages,” Selena Larson, senior threat intelligence analyst at Proofpoint, told The Hacker News.
IF YOU WANT TO LEARN ETHICAL HACKING ENROLL OUR COURSE http://www.cryptus.in