Decoy Microsoft Word Documents Deploy Nim-Based Malware in Targeted Phishing Campaign
In a recent phishing campaign, threat actors have adopted a tactic of employing decoy Microsoft Word documents to propagate a backdoor malware written in the Nim programming language. Nim-based malware is a relatively uncommon occurrence, and its usage poses challenges for the security community due to the unfamiliarity of researchers and reverse engineers with the language.
The attack unfolds with a phishing email featuring an attached Word document. Upon opening the document, the recipient is prompted to enable macros, triggering the deployment of the Nim-based malware. The sender of the email disguises themselves as a Nepali government official.
Upon execution, the malware enumerates running processes on the infected host to identify the presence of known analysis tools. If such tools are detected, the malware terminates itself. If not, the backdoor establishes connections with a remote server mimicking a government domain from Nepal, including the National Information Technology Center (NITC), awaiting further instructions. The command-and-control (C2) servers utilized in the attack are as follows:
“Nim is a statically typed compiled programming language,” note researchers from Netskope. “Aside from its familiar syntax, its cross-compilation features allow attackers to write one malware variant and have it cross-compiled to target different platforms.”
This disclosure aligns with a broader trend where threat actors explore the utilization of new malware strains. In a separate revelation, a social engineering campaign was uncovered, deploying messages on social media platforms to distribute a Python-based stealer malware known as Editbot Stealer. This malware is designed to harvest and exfiltrate valuable data through an actor-controlled Telegram channel.
While new malware strains are emerging, phishing campaigns continue to distribute established threats, including DarkGate and NetSupport RAT, via email and compromised websites using fake update lures (also known as RogueRaticate). This trend is particularly observed in a cluster referred to as BattleRoyal.