CypherCon 2024

Reverse-Engineering Nim Malware: Or a brief tale of analyzing the compiler for a language I had never used

Alexandre Cyr

Abstract:

Nim has become the language of choice for a number of libraries and tools used by red-teamers and pentesters. Much like with Mimikatz and Cobalt Strike before, malicious actors have started putting some of the same tooling to their nefarious purposes. One such example is Mustang Panda, a China-aligned APT that started using Nim to create custom loaders for their Korplug backdoor. For attackers, using a less common language also has benefits when it comes to evading defenses and hindering analysts’ work; we have seen the same thing with the growth of malware written in Go and Rust.

In this presentation, we will go over some of the specific challenges associated with analyzing Nim malware. We will then present tips and tools to help mitigate these difficulties. This will include the presentation of Nimfilt, our analysis script for IDA Pro that we will release shortly before the conference.

Finally, we will demonstrate the use of Nimfilt and other publicly available tools on real malware samples.

Importance: Nim is now used extensively for offensive and red team tools. Recently, we have observed a growing usage of the language by some APTs and malware authors.

Alexandre Cyr

Quebec, Canada (aka French Vermont)

Alexandre is a malware researcher at ESET since 2021. Working with the Montreal team, his research is focused on tracking APT groups and their toolsets.
He has previously presented about APTs and attribution at Botconf, Sleuthcon, Hackfest, and BSidesMTL. He is also involved in mentoring students getting started in infosec.

His interests include operating systems fundamentals and writing shell scripts to automate tasks that don’t always need to be automated.