Jim Loader: A Novel Malware Loader That Could Be Related to the Conti Group

Research done recently identified a new loader that we internally call Jim loader here at Proofpoint there was some third party reporting on it calling it domino loader and other variant names. I did a bunch of work to reverse engineer this thing because I'm interested in all malware related to Conti and it was interesting like it definitely had some overlaps with mo-tet which was kind of neat. The way that Jim loader does his communications is it communicates over a TCP socket and has a 32 byte AES key and then protects that key so encrypts it with a embedded RSA key.