Proofpoint researchers report the detection of a new variant of remote access Trojan (RAT) characterized by the use of multiple techniques and components to prevent analysis and reverse engineering. Identified as Nerbian RAT, this new malware is written in Go, and is capable of leveraging various encryption routines to evade detection altogether.
COVID-19 is still an alluring issue
Nerbian RAT was detected in late April as part of a campaign based on the sending of malicious emails in which threat actors posed as representatives of the World Health Organization (WHO). The hackers behind this campaign sent fewer than 100 emails, mainly to private companies in Italy, the UK and Spain.
As shown in the screenshot below the message comes from the email address who.inter.svc@gmail.com, and includes attachments identified as who_covid19.rar with who_covid19.doc inside, covid19guide.rar with covid19guide.doc inside and covid-19.doc.
Attachments are described as Word documents loaded with macros. When macros are enabled, the document reveals information related to COVID-19. This is a lure similar to that employed by hacking groups in early 2020, the most critical moment of the pandemic.
When the target user downloads these documents, the infection is initiated on the affected system, which could lead to its total compromise.
Where did NerbianRAT come from?
Although at first the researchers did not have a great idea about Nerbia, although it took little time to discover that this was a literary reference. Nerbia is a fictional place described in the novel Don Quixote, with a war shield with a top of asparagus and a banner with the phrase “Try your luck”.
Many of the strings that refer to Nerbia were located in the complementary dropper (UpdateUAV.exe). There are no references to Nerbia in the RAT payload itself (MoUsoCore.exe).
The researchers mention that the dropper and rat were developed by the same threat actors and while the dropper can be modified to deliver other malicious payloads, this component is statically configured to download and set persistence for specific payloads, working that way at least until the time of Proofpoint’s research.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.