NimzaLoader Malware
The cybercrime group behind the TrickBot Malware has unleashed a new implant that is being propagated through the use of spear-phishing emails currently. The new threat, dubbed the NimzaLoader Malware, is reported to share similarities with the BazarBackdoor Malware (also known as BazaLoader,) which was used by the same group previously.
The first spear-phishing emails to carry the NimzaLoader Malware were delivered on February 3, and the criminals used personalized emails to make them seem more legitimate – they often included legitimate company and employee names. The corrupted messages included a link to a presentation that another co-worker wanted to be reviewed. However, The threatening download would trigger several redirects to lead them to an executable file carrying the NimzaLoader Malware eventually.
Analysis of the implant proved to be difficult since the Command-and-Control server it reports to did not have good uptime, and researchers were unable to connect to it reliably. However, when a connection was made, the NimzaLoader Malware tried to fetch PowerShell scripts that installed a copy of the Cobalt Strike Beacon eventually.
The TrickBot Gang (also known as TA800) is often involved in large-scale attack campaigns against companies in North America, and the NimzaLoader Malware is likely to serve the same purpose. Thankfully, this malware's attacks are preventable with the use of high-quality anti-virus services.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.