Spear Phishing Emails Trick Victims with PDF Preview
A spear phishing campaign is attacking victims’ computers with Nimzaloader malware. The malicious code is written in a programming language that is not used often for malware making it harder to detect.
Spear phishing emails linked to NimzaLoader malware were first spotted in the beginning of February. The malicious emails use the recipient’s name and or company name to increase the chances at the victim will be tricked by the attack.
NimzaLoader backdoor malware was created using Nim programming language by the TA800 threat actor gang. TA800 is also responsible for Buer Loader and Bazaloader malwares.
Malware was written in Nim which is uncommon in the realm of malware attacks.
Messaging in the emails contains links that are supposedly links to a PDF file. However, their link to an email service landing page.
NimzaLoader is used to establish initial access to an IT network, possibly to install Cobalt Strike malware next.
“Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it,” says cyber security researchers at Proofpoint.