NimbleMamba

Description

(Proofpoint) Each variant of TA402’s attack chain led to a RAR file containing one or multiple malicious compressed executables. These executables include a TA402 implant Proofpoint dubbed NimbleMamba and oftentimes an additional trojan Proofpoint named BrittleBush. NimbleMamba is almost certainly meant to replace LastConn, which Proofpoint reported about in June 2021.

NimbleMamba uses guardrails to ensure that all infected victims are within TA402’s target region. NimbleMamba uses the Dropbox API for both command and control as well as exfiltration. The malware also contains multiple capabilities designed to complicate both automated and manual analysis.

Names

Name
NimbleMamba

Type

Backdoor
Info stealer
Downloader
Exfiltration

Information

https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.nimblemamba

Other Information

Uuid

1c33ff97-c5eb-4c51-a72e-31ad07abf8cd

Last Card Change

2022-12-27

Threat Intelligence Garden

Explorer

NimbleMamba

NimbleMamba

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks