For a time, a few months ago, it seemed like the gang behind the dreaded Trickbot network and malware was on the ropes. Law enforcement had rocked the group back on its heels and confiscated or shut down large swaths of its network and it appeared that the group wasn’t long for the world.
Rumors of their death, it seems, have been greatly exaggerated.
The gang has proved to be highly adaptive, and they’ve responded to the recent attacks made by law enforcement and IT security professionals by changing their game.
One of the most recent changes they’ve made is the rewrite of their BazarBackdoor malware. By rewriting the code in a little-known language called Nim, they’ve been able to make the malware even harder to detect. Vitali Kremez is the CEO of an internet security firm called Advanced Intel.
Kremez had this to say about the recent discovery:
“The backdoor component that is capable of command execution is written in NIM programming language to evade anti-virus detection. The crime group likely chose to pursue the lightweight malware development in Nim to frustrate anti-virus and detection mechanism focused on traditional binaries compiled in C/C++ style languages.
Not too long ago, Golang has become another preferred language of choice for some malware families including RobbinHood ransomware majorly due to the fact that many anti-virus products fail to process and characterize unconventional binaries as malware due to unique section and binary content introduced by the Nim and similar exotic languages.”
It’s also worth mentioning that BazarBackdoor isn’t the first malware to be written in Nim and other little-known languages. Researchers don’t stumble across many such examples but at least a few others are known to exist. For instance, in 2019 the MalwareHunterTeam found a ransomware strain called XCry written in Nim, and just last month, Advanced Intel discovered a new ransomware strain written in a programming language called “D.” Given that, it seems we have yet another new thing to worry about.