Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language.

“Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers’ unfamiliarity can hamper their investigation,” Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara said.

Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scratch using the language or port existing versions of their nefarious programs to it.

This has been demonstrated in the case of loaders such as NimzaLoader, Nimbda, IceXLoader, as well as ransomware families tracked under the names Dark Power and Kanti.

The attack chain documented by Netskope begins with a phishing email containing a Word document attachment that, when opened, urges the recipient to enable macros to activate the deployment of the Nim malware. The email sender disguises themselves as a Nepali government official.

Once launched, the implant is responsible for enumerating running processes to determine the existence of known analysis tools on the infected host and promptly terminate itself should it find one.

Otherwise, the backdoor establishes connections with a remote server that mimics a government domain from Nepal, including the National Information Technology Center (NITC) and awaits further instructions. The command-and-control (C2) servers are no longer accessible -

• mail[.]mofa[.]govnp[.]org
• nitc[.]govnp[.]org
• mx1[.]nepal[.]govnp[.]org
• dns[.]govnp[.]org

“Nim is a statically typed compiled programming language,” the researchers said. “Aside from its familiar syntax, its cross-compilation features allow attackers to write one malware variant and have it cross-compiled to target different platforms.”

The disclosure comes as Cyble revealed a social engineering campaign that leverages messages on social media platforms to deliver a new Python-based stealer malware called Editbot Stealer that’s designed to harvest and exfiltrate valuable data via an actor-controlled Telegram channel.

Even as threat actors are experimenting with new malware strains, phishing campaigns have also been observed distributing known malware such as DarkGate and NetSupport RAT via email and compromised websites with fake update lures (aka RogueRaticate), particularly those from a cluster dubbed BattleRoyal.

Enterprise security firm Proofpoint said it identified at least 20 campaigns that used DarkGate malware between September and November 2023, before switching to NetSupport RAT earlier this month.

One attack sequence identified in early October 2023 particularly stands out for chaining two traffic delivery systems (TDSs) – 404 TDS and Keitaro TDS – to filter and redirect victims meeting their criteria to an actor-operated domain hosting a payload that exploited CVE-2023-36025 (CVSS score: 8.8), a high-severity Windows SmartScreen security bypass that was addressed by Microsoft in November 2023.

This implies BattleRoyal weaponized this vulnerability as a zero-day a month before it was publicly revealed by the tech giant.

DarkGate is designed to steal information and download additional malware payloads, while NetSupport RAT, which started off as a bona fide remote administration tool, has metamorphosed into a potent weapon wielded by malevolent actors to infiltrate systems and establish unfettered remote control.

“Cybercriminal threat actors [are] adopting new, varied, and increasingly creative attack chains – including the use of various TDS tools – to enable malware delivery,” Proofpoint said.

“Additionally, the use of both email and fake update lures shows the actor using multiple types of social engineering techniques in an attempt to get users to install the final payload.”

DarkGate has also been put to use by other threat actors like TA571 and TA577, both of which are known to disseminate a variety of malware, including AsyncRAT, NetSupport RAT, IcedID, PikaBot, and QakBot (aka Qbot).

“TA577 for example, one of the most prominent Qbot distributors, returned to email threat data in September to deliver DarkGate malware and has since been observed delivering PikaBot in campaigns that typically have tens of thousands of messages,” Selena Larson, senior threat intelligence analyst at Proofpoint, told The Hacker News.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.