New stealthy Nerbian RAT malware spotted in ongoing attacks

A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers.

The new malware variant is written in Go, making it a cross-platform 64-bit threat, and it’s currently distributed via a small-scale email distribution campaign that uses document attachments laced with macros.

The email campaigns were discovered by researchers at Proofpoint, who released a report today on the new Nerbian RAT malware.

Impersonating the WHO

The malware campaign distributing Nerbian RAT impersonates the World Health Organization (WHO), which is allegedly sending COVID-19 information to the targets.

Phishing email seen in the latest campaign
Phishing email seen in the latest campaign (Proofpoint)

The RAR attachments contain Word documents laced with malicious macro code, so if opened on Microsoft Office with content set to “enabled,” a bat file performs a PowerShell execution step to download a 64-bit dropper.

The dropper, named “UpdateUAV.exe,” is also written in Golang and is packed in UPX to keep the size manageable.

UpdateUAV reuses code from various GitHub projects to incorporate a rich set of anti-analysis and detection-evasion mechanisms before Nerbian RAT is deployed.

Apart from that, the dropper also establishes persistence by creating a scheduled task that launches that RAT every hour.

Proofpoint summarizes the list of anti-analysis tools as follows:

All these checks make it practically impossible to get the RAT running in a sandboxed, virtualized environment, ensuring long-term stealthiness for the malware operators.

Nerbian RAT features

The trojan is downloaded as “MoUsoCore.exe” and is saved to “C:\ProgramData\USOShared\”. It supports several functions, while its operators have the option to configure it with some of them.

Two of its notable functions are a keylogger that stores keystrokes in encrypted form and a screen capturing tool that works on all OS platforms.

Communications with the C2 server are handled over SSL (Secure Sockets Layer), so all data exchanges are encrypted and protected from in-transit inspection from network scanning tools.

The complete infection process (Proofpoint)

To keep an eye on

Without a doubt, Proofpoint has spotted an interesting, complex new malware that focuses on stealthiness through numerous checks, encrypted communications, and code obfuscation.

For now, though, Nerbian RAT is distributed via low-volume email campaigns, so it’s not a massive threat yet, but this could change if its authors decide to open up their business to the broader cybercrime community.

Exit mobile version