ISC StormCast for Tuesday, March 16th, 2021
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 16 March 2021
⏱️ 5 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Tuesday, March 16th, 2021 edition of the Sandstone Storm Center's Stormcast. My name is Johannes Ulrich. And while I'm recording today from Jacksonville, I'm actually teaching a class that was supposed to be happening in San Diego. It's also, of course, just about a year that, well, I'm recording |
| 0:23.0 | from Jacksonville, Florida exclusively. But glasses, of course, continue worldwide. It's just |
| 0:28.7 | all the jet lag without any of the travel. Proofpoint came across an interesting piece of |
| 0:35.5 | Malver that they're calling N Nimzaloder. The name is |
| 0:39.6 | derived in part from NIM, the programming language that was used to create this malver. Now, if you |
| 0:48.4 | haven't heard of NIM, you're not alone. I didn't hear about it, I have to admit, until I read about |
| 0:53.9 | this malware. |
| 0:55.5 | But if you sort of read the boilerplate on what's good about NIM, it kind of gives you an idea |
| 1:00.9 | why attackers may choose this language. And it says here that NIM generates native dependency-free |
| 1:08.3 | executables, not dependent on a virtual machine, which are small and easy |
| 1:13.7 | for redistribution. And of course, any new and a little bit odd programming language like |
| 1:20.0 | this is probably going to create somewhat unique and different binaries that will evade |
| 1:27.3 | traditional signatures. |
| 1:29.3 | The distribution methods follow the more standard pattern of first sending an email. |
| 1:36.3 | Now, in this case, the emails tend to be a bit more personalized, and then a link in the email |
| 1:41.3 | will direct the victim to the actual binary that actually happens |
| 1:47.7 | to be hosted within Slack. That's yet another trick that tends to be quite successful |
| 1:53.9 | in evading filters, given that Slack is now a very commonly used enterprise tool. And in the example described by |
| 2:02.1 | ProofPoint, the malware claims to be a PDF button, of course, isn't executable, and the |
| 2:07.7 | user will be tricked into clicking and with that executing the file. Nimza Loader is, as the |
| 2:15.1 | name implies, just a loader, so it downloads additional malware after it's installed, and the proofpoint does find that it tends to be used then to install Cobalt Strike. |
| 2:28.8 | And Microsoft released an emergency update for Windows 10, and in this case, not to fix a vulnerability, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.