ESET Research has introduced Nimfilt, a powerful tool designed to assist researchers in reverse engineering binaries compiled with the Nim programming language compiler. Nim has gained popularity among malware developers for its versatile compiler, which can compile Nim code to JavaScript, C, C++, and Objective-C, as well as cross-compile for major operating systems such as Windows, Linux, macOS, Android, and iOS. The language also supports importing functions and symbols from other languages, making it a favored choice for developing new tools, both benign and malicious.
The use of Nim in malware development has caught the attention of ESET Research, with instances of malicious activity dating back to 2019. Notably, the Mustang Panda APT group has been actively using Nim in their operations, prompting the development of Nimfilt by ESET Research. In a campaign targeting a governmental organization in Slovakia in August 2023, Mustang Panda utilized a malicious DLL written in Nim as part of their Korplug loader.
For researchers tasked with analyzing Nim-compiled binaries, Nimfilt offers valuable features to expedite the process. Available as both an IDA plugin and a Python script, Nimfilt can demangle package and function names, as well as apply structs to strings, aiding in the identification and understanding of Nim code within binaries.
When initializing Nimfilt within IDA, the plugin uses heuristic checks to determine if the binary was compiled with the Nim compiler. YARA rules provided with Nimfilt enhance the robustness of these checks, surpassing the capabilities of other tools in identifying Nim-compiled files.
One key functionality of Nimfilt is its ability to decode Nim’s custom name mangling scheme, revealing package and function names within the binary. By demangling these names, researchers can glean insights into the developer’s environment, such as file paths and package dependencies. Nimfilt also organizes function names in the IDA Functions window, improving the overall analysis workflow.
Moreover, Nimfilt applies C-style structs to Nim strings in the binary, enhancing the clarity and interpretation of these data structures. By iterating through data segments and detecting Nim strings, Nimfilt enhances the understanding of Nim-specific constructs within the binary.
In conclusion, Nimfilt proves to be a valuable tool for researchers involved in reverse engineering Nim-compiled binaries. Its advanced features streamline the analysis process and provide essential insights into Nim code structures within binaries. As development continues, Nimfilt is set to evolve with additional features to address double mangling and enhance the formatting of demangled names and package groupings, further enhancing its utility for researchers in the field.