This malware was written in an unusual programming language to stop it from being detected

NimzaLoader malware is unusual because it's written in a programming language rarely used by cyber criminals - which could make it harder to detect and defend against.
Written by Danny Palmer, Senior Writer

A prolific cyber-criminal hacking operation is distributing new malware that is written in a programming language rarely used to compile malicious code.

Dubbed NimzaLoader by cybersecurity researchers at Proofpoint, the malware is written in Nim – and it's thought that those behind the malware have decided to develop it this way in the hopes that choosing an unexpected programming language will make it more difficult to detect and analyse.

NimzaLoader malware is designed to provide cyber attackers with access to Windows computers, and with the ability to execute commands – something that could give those controlling the malware the ability to control the machine, steal sensitive information, or potentially deploy additional malware.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The malware is thought to be the work of a cyber-criminal hacking group that Proofpoint refers to as TA800, a hacking operation that targets a wide range of industries across North America.

The group is usually associated with BazarLoader, a form of trojan malware that creates a full backdoor onto compromised Windows machines and is known to be used to deliver ransomware attacks.

Like BazarLoader, NimzaLoader is distributed using phishing emails that link potential victims to a fake PDF downloader, which, if run, will download the malware onto the machine. At least some of the phishing emails are tailored towards specific targets with customised references involving personal details like the recipient's name and the company they work for.

The template of the messages and the way the attack attempts to deliver the payload is consistent with previous TA800 phishing campaigns, leading researchers to the conclusion that NimzaLoader is also the work of what was already a prolific hacking operation, which has now added another means of attack.

"TA800 has often leveraged different and unique malware, and developers may choose to use a rare programming language like Nim to avoid detection, as reverse engineers may not be familiar with Nim's implementation or focus on developing detection for it, and therefore tools and sandboxes may struggle to analyse samples of it," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told ZDNet.

Like BazarLoader before it, there's the potential that NimzaLoader could be adopted as a tool that's leased out to cyber criminals as a means of distributing their own malware attacks.

SEE: Security Awareness and Training policy (TechRepublic Premium)

With phishing the key means of distributing NimzaLoader, it's therefore recommended that organisations ensure that their network is secured with tools that help prevent malicious emails from arriving in inboxes in the first place.

It's also recommended that organisations train staff on how to spot phishing emails, particularly when campaigns like this one attempt to exploit personal details as a means of encouraging victims to let their guard down.


Editorial standards