How to remove DarkNimbus backdoor-type malware from the operating system

What kind of malware is DarkNimbus?

DarkNimbus is a backdoor-type malware. There are two versions of this software, one targeting Windows operating systems and the other – Android. Generally, backdoors are used to open a "backdoor" to devices in order to prep them for further infection or cause it. However, DarkNimbus has many capabilities related to spying and data theft.

This backdoor has been used in various campaigns. One recent campaign of note is associated with a group tracked as "Earth Minotaur". This group primarily targets Tibetan and Uyghur communities. Their Android-targeting campaign leveraged the MOONSHINE malware to infiltrate DarkNimbus into devices.

DarkNimbus malware overview

DarkNimbus is a backdoor-type malware with extensive capabilities centered on spying and stealing information. In one of the recent campaigns associated with the Earth Minotaur group, DarkNimbus was introduced into Android devices by the MOONSHINE exploit kit.

These infections were initiated through sophisticated spam DMs/PMs (direct/private messages) that lured users into visiting MOONSHINE exploit kit servers. If the victim's device had one of the specific apps with a vulnerable Google Chrome component, it introduced a malicious code.

Chrome components in the following apps were targeted – Facebook social networking app; Messenger, Line, QQ, WeChat, and Zalo messengers; Lazada e-commerce app; Naver multi-purpose online platform app. Known vulnerabilities exploited by MOONSHINE are tracked as "CVE-2016-1646", "CVE-2016-5198", "CVE-2017-5030", "CVE-2017-5070", "CVE-2018-6065", "CVE-2018-17463", "CVE-2018-17480", and "CVE-2020-6418".

The malicious code executed a shellcode to implant a trojanized XWalk browser core to replace that of the targeted application (noted replacing this component in WeChat). XWalk then prepared the system for further infection, before introducing DarkNimbus into it.

There is an overlap between the Android and Windows variants of DarkNimbus. Both can collect device data, information about directories and files, installed app lists, execute shell commands, exfiltrate files, take screenshots, and collect clipboard (copy-paste buffer) content.

How these functionalities are realized naturally varies between the different OS (Operating System) versions. Part of the Android variant's capabilities are facilitated through its abuse of the Android Accessibility Services.

Some of DarkNimbus' Android-only functionalities include gathering extensive geolocation data, Wi-Fi details, browser bookmarks, contact lists, call logs, and SMS contents, as well as managing phone calls (e.g., recording them), recording content at scheduled times, and taking photos via the front-facing camera.

Additionally, this version collects messages through Accessibility Services from various messengers – DingTalk, MOMO, QQ, Skype, TalkBox, Telegram, Voxer, WeChat, and WhatsApp. It is noteworthy that in the observed cases where DarkNimbus was infiltrated by MOONSHINE, it only targeted WeChat.

The abilities present in the Windows variant exclusively are reading file content prior to their exfiltration, recording keystrokes (keylogging), and collecting browser data (e.g., browsing histories, saved log-in credentials, etc.).

It must be mentioned that it is common for malware developers to improve upon their creations and methodologies. Hence, potential future releases of DarkNimbus can have additional/different capabilities and features.

To summarize, the presence of software like DarkNimbus on devices can result in severe privacy issues, financial losses, and identity theft.

Threat Summary:

Name	DarkNimbus malware
Threat Type	Trojan, backdoor, spyware, stealer.
Detection Names (Windows version)	Avast (Win32:MalwareX-gen [Trj]), Combo Cleaner (Gen:Variant.Doina.41245), ESET-NOD32 (A Variant Of Win32/Spy.Agent.PZF), Kaspersky (HEUR:Trojan-Spy.Win32.Agent.gen), Microsoft (PUA:Win32/Kuping), Full List Of Detections (VirusTotal)
Detection Names (Android version)	Avast-Mobile (Android:Evo-gen [Trj]), ESET-NOD32 (Android/Spy.Agent.DVL), Ikarus (Trojan-Banker.AndroidOS.Riltok), Kaspersky (HEUR:Trojan-Spy.AndroidOS.Agent.ts), Symantec Mobile Insight (AppRisk:Generisk), Full List Of Detections (VirusTotal)
Symptoms	Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Distribution methods	Infected email attachments, malicious online advertisements, social engineering, software 'cracks'.
Damage	Stolen passwords and banking information, identity theft, the victim's computer added to a botnet.
Malware Removal (Windows)	To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. ▼ Download Combo Cleaner To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Backdoor-type malware examples

We have investigated thousands of malicious programs; RevC2, GhostSpider, Voldemort, and BugSleep are merely some of our newest articles on backdoors.

Malware can have a wide variety of harmful abilities, and they are not limited to the software's classifications. However, regardless of how malware functions – its presence on a system threatens device integrity and user safety. Therefore, all threats must be removed immediately upon detection.

How did DarkNimbus infiltrate my computer?

DarkNimbus Android version has been spread by a group tracked as "Earth Minotaur" through social engineering campaigns targeting users from the Tibetan and Uyghur communities. In some cases, the spam DMs/PMs containing disguised links were sent via character-imitating accounts, thus creating an impression of legitimacy.

Known lures include Chinese government announcements and news related to COVID-19, China's travel information, news concerning Tibetans or Uyghurs, and traditional music/dances of these communities. Keep in mind that other lures or techniques could be used.

The links redirected to the MOONSHINE exploit kit servers. These links are functional temporarily, thus diminishing the chances of successful analysis of the tactics and techniques used by this cybercrime group. While the campaigns targeted specific communities only, the links had been visited by users from across the globe – this suggests that the messages were shared in group chats.

The MOONSHINE exploit kit servers checked whether the visitor's device had a suitable app with an exploitable Chrome component – if found, it injected the malicious code. Afterward, the user was redirected to the legitimate website indicated in the lure.

If no targeted application was discovered, either the visitor was led straight to the genuine webpage or to one claiming that their browser is outdated (thus tricking them into downloading an older, vulnerable version). The malicious code triggered the infection chain that culminated in DarkNimbus infiltrating the system.

It must be mentioned that this backdoor could be proliferated using different methods. Social engineering and phishing tactics are standard in malware distribution. Malicious programs are typically disguised as or bundled with ordinary content.

Infectious files come in various formats, e.g., executables (.exe, .run, etc.), archives (ZIP, RAR, etc.), documents (PDF, Microsoft Office, Microsoft OneNote, etc.), JavaScript, and so forth. Merely opening such a file can be enough to initiate the infection chain.

Malware is primarily distributed via drive-by (stealthy/deceptive) downloads, backdoor/loader-type trojans, malicious attachments or links in spam (e.g., emails, PMs/DMs, SMSes, social media posts, etc.), online scams, malvertising, suspicious download channels (e.g., freeware and third-party websites, P2P sharing networks, etc.), illegal software activation tools ("cracks"), and fake updates.

What is more, some malicious programs can self-spread through local networks and removable storage devices (e.g., external hard drives, USB flash drives, etc.).

How to avoid installation of malware?

It is essential to be careful while browsing since the Internet is full of well-disguised fake and dangerous content. We recommend treating incoming emails and other messages with caution. Attachments or links present in dubious/irrelevant mail, as they can be malicious.

Another recommendation is to download only from official and trustworthy sources. Additionally, all programs must be activated and updated using genuine functions/tools, as those acquired from third-parties can contain malware.

We must emphasize the importance of having a reputable anti-virus installed and kept updated. This software must be used to run regular system scans and to remove detected threats. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

VirusTotal detections of the Android version of DarkNimbus backdoor:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

• What is DarkNimbus?
• STEP 1. Manual removal of DarkNimbus malware.
• STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Video showing how to start Windows 10 in "Safe Mode with Networking":

Extract the downloaded archive and run the Autoruns.exe file.

In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with DarkNimbus malware, should I format my storage device to get rid of it?

Malware removal rarely necessitates formatting.

What are the biggest issues that DarkNimbus malware can cause?

The dangers posed by an infection depend on the malware's functionalities and the cyber criminals' goals. DarkNimbus can carry out spying activities and steal information. Generally, the presence of such software can result in multiple system infections, severe privacy issues, financial losses, and identity theft.

What is the purpose of DarkNimbus malware?

Malware is primarily used for profit. Other potential reasons include cyber criminals seeking amusement or to realize personal grudges, process disruption (e.g., websites, services, companies, etc.), hacktivism, and political/geopolitical motivations. It is pertinent to mention that DarkNimbus has been used to target users belonging to specific ethnic groups.

How did DarkNimbus malware infiltrate my computer?

DarkNimbus has been distributed through sophisticated and targeted spam DMs/PMs promoting malicious links. However, other methods are possible.

Malware is widely spread via spam mail, trojans, drive-by downloads, online scams, malvertising, dubious download sources (e.g., freeware and free file-hosting sites, P2P sharing networks, etc.), illegal software activation ("cracking") tools, and fake updates. Some malicious programs can self-proliferate through local networks and removable storage devices.

Will Combo Cleaner protect me from malware?

Combo Cleaner is capable of detecting and removing practically all known malware infections. Remember that high-end malicious programs tend to hide deep within systems – therefore, performing a complete system scan is paramount.

▼ Show Discussion