Boztek

A reverse-engineering tool for Nim-compiled binaries

The Nim programming language is increasingly favored by malware developers due to its effective compiler which allows for versatile compilation and integration with multiple languages including JavaScript, C, C++, and Objective-C. This functionality enables hazardously flexible development across major operating systems such as Windows, Linux, macOS, Android, and iOS. Moreover, Nim’s capability to import functions and symbols seamlessly from these languages and dynamically linked libraries enhances its attraction for crafting malicious software. The existence of wrapper modules like Winim simplifies interactions with operating systems, further encouraging the development of both malicious and benign tools utilizing Nim.

Recent research by ESET has identified a continuing trend of malware utilizing Nim. A notable instance dates back to 2019, when Sednit, a known cyber threat actor, was detected employing a Nim-based malicious downloader. More recently, in August 2023, the Mustang Panda APT group was observed using Nim in their toolkit during attacks on a governmental organization in Slovakia, utilizing a malicious DLL embedded within their well-known Korplug loader, marking a significant milestone in the group’s operational evolution.

For cybersecurity researchers engaged in analyzing such binaries, Nimfilt, a tool developed to facilitate reverse-engineering, provides significant advantages. Nimfilt can be executed as a Python script or integrated as a plugin for the Interactive DisAssembler (IDA), allowing it to identify whether a disassembled binary was compiled using the Nim compiler. The initialization process of the plugin employs heuristics to assess specific characteristics of the binary, such as the presence of distinct string signatures or common Nim function names.

The tool employs various checks to evaluate binaries for Nim compilation. It looks for the presence of known Nim error message strings and performs determinations that are more comprehensive than those conducted by comparable tools. In the final stage of initialization, Nimfilt may run automatically if the AUTO_RUN flag is activated, or be manually executed from IDA’s menu.

A significant feature of Nimfilt is its capacity to demangle function names utilized in Nim binaries. Nim implements a unique name mangling system that Nimfilt is designed to decode, renaming functions to their original, clearer forms. This demangling process can reveal critical information about the development environment, similar to how PDB paths might disclose details about a compilation environment.

During this process, Nimfilt organizes recognized Nim function names based upon their package or file path, which assists in data management within IDA. The tool’s effectiveness extends to the treatment of Nim strings, which, unlike typical null-terminated sequences, are structured as objects containing length attributes along with their character payloads. As a result, Nimfilt revises undifferentiated Nim strings into an organized format for easier analysis.

The conclusion reiterates the significance of Nimfilt in simplifying the reverse engineering of Nim-compiled binaries, providing vital enhancements to researchers engaged in cybersecurity. Additionally, the development of Nimfilt is ongoing, with future updates expected to address double mangling, improve demangled name formatting, and enhance grouping functionalities for package names.

In summary, the emergence of Nim as a language of choice among malware authors, coupled with tools like Nimfilt, showcases the evolution of malware development and the corresponding advancement in analytical tools aimed at detecting and deciphering such threats. The comprehensive capabilities of Nimfilt offer substantial auxiliary support for cybersecurity experts, better equipping them to confront the challenges posed by increasingly sophisticated malware coded in Nim.