Nimbus Manticore is a highly obfuscated 64-bit PE malware built to escalate privileges, move laterally via RPC, dynamically load components, and evade sandboxes using timing checks. Deep Instinct was the only vendor on VirusTotal to detect it for a full week, highlighting detection gaps against this threat. #NimbusManticore #DeepInstinct
Keypoints
- Nimbus Manticore is a 64‑bit PE compiled with Microsoft Visual C/C++ and the Microsoft Linker, leveraging legitimate toolchains to blend into enterprise environments.
- The sample exhibits multiple layers of obfuscation and encryption (high entropy in .text and .data sections) to frustrate static and manual analysis.
- Import-hiding and dynamic component loading are used (GetProcAddress, LoadLibraryA, LoadLibraryExW) so full functionality is assembled at runtime rather than visible statically.
- The malware includes sandbox-evasion timing checks (GetSystemTimeAsFileTime, QueryPerformanceCounter, Sleep) to refuse execution in analysis environments.
- RPC-related functionality (RpcAuthIdentityFree, RpcBindingSetAut, RpcImpersonateClient) indicates capabilities for lateral movement and impersonation-based privilege escalation across networks.
- Deep Instinct detected and blocked the threat on VirusTotal when most vendors missed it for a week, underscoring the need for pre-execution and network-level visibility beyond traditional EDR and sandboxing.
MITRE Techniques
- [T1027 ] Obfuscated Files or Information – Use of encoded/compressed .text and encrypted .data sections to hinder analysis. (‘the .text section shows abnormal entropy levels, indicating encoded or compressed code’ / ‘.data section exhibits high entropy consistent with encryption’)
- [T1497 ] Virtualization/Sandbox Evasion – Timing- and environment-based checks to detect and evade sandboxes. (‘GetSystemTimeAsFileTime, QueryPerformanceCounter, and Sleep indicate the malware can measure execution timing to identify analysis environments’)
- [T1021 ] Remote Services – Lateral movement leveraging Windows RPC functionality to move between systems. (‘RpcAuthIdentityFree, RpcBindingSetAut, and RpcImpersonateClient indicate this malware has capabilities for lateral movement and privilege escalation’)
- [T1134 ] Access Token Manipulation – Impersonation of clients/services via RPC to escalate privileges and assume identities. (‘RpcImpersonateClient indicate this malware can potentially assume the identity of legitimate users or services to gain access to additional systems’)
- [T1574 ] Hijack Execution Flow (Dynamic Component Loading) – Dynamic loading of modules at runtime to hide full functionality until execution. (‘GetProcAddress, LoadLibraryA, and LoadLibraryExW… allow the malware to dynamically load additional components at runtime, keeping its full functionality hidden from static analysis tools’)
- [T1543 ] Create or Modify System Process – Creation of processes/threads to execute payloads and potentially use legitimate processes as cover. (‘strings related to “Process,” “Thread,” and “Start.” This means the malware can spawn additional processes or threads to execute payloads’)
Indicators of Compromise
- [File Name ] Suspicious module observed in analysis – unbcl-new6.dll
- [Binary Characteristics ] Sample and compile details useful for scope and hunting – 64‑bit PE binary compiled using Microsoft Visual C/C++ and the Microsoft Linker
- [Strings / API Calls ] Behavioral indicators extracted from the binary – GetProcAddress, LoadLibraryA, LoadLibraryExW, GetSystemTimeAsFileTime, QueryPerformanceCounter, Sleep, RpcAuthIdentityFree, RpcBindingSetAut, RpcImpersonateClient
Read more: https://www.deepinstinct.com/blog/dianna-explains-4-nimbus-manticore-monstrous-malware