Key Features
📌Function and Package Names: Nimfilt demangles Nim-specific function and package names, making them more readable and easier to analyze.
📌Package Init Function Names: It also demangles the initialization function names of Nim packages.
📌Nim Strings: Nimfilt applies C-style structs to Nim strings, which helps in interpreting the data structures within the binary. This includes identifying the length and payload of the strings.
📌IDA Plugin: Nimfilt can be used as an IDA plugin, where it organizes functions into directories based on their package name or path. This helps in structuring the analysis process.
📌Automatic Execution: The plugin can be set to automatically execute when a Nim binary is loaded by setting the AUTO_RUN global variable to True.
📌Identifying Nim Binaries: Nimfilt uses heuristics to identify if a loaded file is a Nim binary by checking for specific strings and function names associated with Nim.
📌YARA Rules: It includes YARA rules to identify Nim-compiled ELF and PE binaries.
📌Command Line Interface (CLI): Python Script: Nimfilt can be run as a Python script on the command line, providing a subset of its functionality outside of IDA.
📌Organizing Functions: Directory Structure: In IDA, Nimfilt creates directories in the Functions window to organize functions according to their package name or path, enhancing the readability and manageability of the analysis.
Scenarios
Nimfilt has been employed in various real-world scenarios, particularly in the analysis of malware written in the Nim programming language.
Sednit Group:
📌Background: The Sednit group, also known as APT28 or Fancy Bear, is a well-known cyber-espionage group. They have been active since at least 2004 and are responsible for several high-profile attacks, including the Democratic National Committee (DNC) hack in 2016.
📌Use of Nim: In 2019, Sednit was observed using a malicious downloader written in Nim. This marked one of the early instances of Nim being used in malware development.
📌Nimfilt’s Role: Nimfilt was used to reverse-engineer this Nim-compiled malware, helping analysts understand the structure and functionality of the downloader by demangling function and package names and applying appropriate data structures to strings.
Mustang Panda APT Group:
📌Background: Mustang Panda is a China-aligned Advanced Persistent Threat (APT) group known for its cyber-espionage activities. They have been using Nim to create custom loaders for their Korplug backdoor.
📌Specific Incident: In August 2023, Mustang Panda used a malicious DLL written in Nim as part of their campaign against a governmental organization in Slovakia. This DLL was part of their classic trident Korplug loader.
📌Nimfilt’s Role: Nimfilt was instrumental in analyzing this DLL. By demangling the names and organizing functions into directories, Nimfilt made it easier for researchers to dissect the malware and understand its behavior.
General Malware Analysis:
📌Nim’s Popularity: The Nim programming language has become increasingly attractive to malware developers due to its robust compiler and ability to work seamlessly with other languages like C, C++, and JavaScript. This has led to a rise in malware written in Nim.
📌Nimfilt’s Contribution: For researchers tasked with reverse-engineering such binaries, Nimfilt provides a powerful tool to speed up the analysis process. It helps by demangling names, applying structs to strings, and organizing functions, thereby making the reverse-engineering process more efficient and focused.