TrickBot's BazarBackdoor malware is now coded in Nim to evade antivirus


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Last week, both cybersecurity firm Intezer and Advanced Intel's Vitali Kremez analyzed a new sample of BazarBackdoor and discovered that the TrickBot gang ported it to the Nim programming language.

According to the programming language's website, Nim takes its inspiration from Python, Ada, and Modula and can generate executables supported on Windows, macOS, and Linux.
"Nim is one of the very few programmable statically typed languages, and combines the speed and memory efficiency of C, an expressive syntax, memory safety and multiple target languages." states the Nim website.

As it is rare to find malware developed using Nim, Kremez believes that the TrickBot gang ported BazarBackdoor to Nim to bypass detection by antivirus software.
"The backdoor component that is capable of command execution is written in NIM programming language to evade anti-virus detection. The crime group likely chose to pursue the lightweight malware development in Nim to frustrate anti-virus and detection mechanism focused on traditional binaries compiled in C/C++ style languages."
"Not too long ago, Golang has become another preferred language of choice for some malware families including RobbinHood ransomware majorly due to the fact that many anti-virus products fail to process and characterize unconventional binaries as malware due to unique section and binary content introduced by the Nim and similar exotic languages," Advanced Intel CEO Vitali Kremez told BleepingComputer in a conversation.