A threat cluster has been spotted using a previously undocumented malware coded in Nim language to strike targets. Dubbed Nimbda, the loader is bundled with a Chinese language greyware SMS Bomber tool that is most likely illegally distributed in the Chinese-speaking web.
The cluster is linked with hacking group Tropic Trooper, also known by the monikers Earth Centaur, KeyBoy, and Pirate Panda, striking targets located in Taiwan, Hong Kong, and the Philippines, primarily focusing on government, healthcare, transportation, and high-tech industries.
SMS Bomber allows a user to input a phone number, but not their own, so as to flood the victim’s device with messages and potentially render it unusable in a denial-of-service (DoS) attack. The binary doubles up as SMS Bomber and a backdoor suggests that the attacks are not just aimed at those who are users of the tool, a rather unorthodox target, but also highly targeted in nature.
The latest attack chain documented by Check Point begins with the tampered SMS Bomber tool, the Nimbda loader, which launches an embedded executable, in this case, the legitimate SMS bomber payload, while also injecting a separate piece of shellcode into a notepad.exe process.
The retrieved binary is an upgraded version of a trojan named Yahoyah that is designed to collect information about local wireless networks in the victim machine's vicinity as well as other system metadata and exfiltrate the details back to a command-and-control (C2) server.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
