Nim for Windows Malware? A few takeaways from Matt Kiely's Def Con 615 Talk

Sunday, March 27th, 2022

What on earth is Nim? Why is it important? What is its purpose? Who uses it?

Happy Sunday, Everyone,
In January I attended “The Crown: Exploratory Analysis of Nim Malware” at DEF CON 615 in hopes to pull away some awesome information from a fellow hacker friend, Matt Kiely (a.k.a HuskyHacks).

Matt has quite an extensive background that ranges everywhere from the United States Marine Corps. to being certified with many different credentials (eCPTX, OSCP, eCPPT, CRTO, CRTP). Though he is proficient on the computer, he’s also a very well versed teacher for anything “cyber”, which is showcased in his latest course that is hosted on the TCM Security website.

Now…. I could sit here and go on and on about how outstanding and skilled of a guy Matt is, but why are you really here reading this?? Let’s get to the meat of this article.

What on earth is Nim?

So, in the words of the Nim website:

“Nim is a statically typed compiled systems programming language. It combines successful concepts from mature languages like Python, Ada and Modula.”

In essence, it’s a programming language that has a small footprint AND is quick to run. It uses predefined functions (much like that of a programming framework) in order to help it keep such a small footprint when running on a local machine.

Why is it so important to know what Nim is?

Don’t we all like to stay up on the times? Though this programming language appeared in 2008, this was the first time I had heard and learned about it. Nim is incredible at being lightweight and efficient.

Showcasing size of files that are written in Nim

Showcasing file sizes that we created with Nim

Core features of Nim that everyone can know:

• Windows, OSX, and Linux support

• JavaScript Compilation

• Small core with a rich prospect for extensibility

• Decentralized package management

• Easy C, C++ and Objective C wrapping

Core features of Nim that hackers know:

• Compiles directly to C, C++, Objective-C and Javascript.

• Since it doesn't rely on a VM, runtime does not produce large file format malware.

  • Oh yeah… Keeping it small!

• Python inspired syntax, allows rapid native payload creation & prototyping.

  • Python is a fan favorite from developers and hackers alike.

• Has extremely mature FFI (Foreign Function Interface) capabilities.

• Avoids making you actually write in C/C++ and subsequently avoids introducing a lot of security issues into your software.

  • We will see about that later ^^

• Super easy cross compilation to Windows from *nix. MacOS, only requires you to install the mingw toolchain and passing a single flag to the Nim compiler.

• The Nim compiler and the generated executables support all major platforms like Windows, Linux, BSD and macOS. Can even compile to Nintendo switch , IOS & Android. See the cross-compilation section in the Nim compiler usage guide

• You could technically write your implant and c2 backend both in Nim as you can compile your code directly to Javascript. Nim even has initial support for WebAssembly's too.

What’s important to remember for defenders to prevent this?

• Remember that the APIs being called with Nim are dynamically resolved - meaning that when Nim interfaces with APIs, they (more often than not) look like your standard windows API call. Nim can be incredibly sneaky in this sense.

• Keep close eyes on infrastructure that is currently running and being utilized. Though this seems pretty straightforward, this kind of malware could be as tough as looking for a spec of dust on a clean table.

If you’d like to see/hear a more in depth version of Matt’s talk, follow the link below!