Nerbian RAT: New malware with advanced anti-analysis and anti-reversing capabilities uses information about WHO and COVID-19 for its spreading

Proofpoint researchers report the detection of a new variant of remote access Trojan (RAT) characterized by the use of multiple techniques and components to prevent analysis and reverse engineering. Identified as Nerbian RAT, this new malware is written in Go, and is capable of leveraging various encryption routines to evade detection altogether.

COVID-19 is still an alluring issue

Nerbian RAT was detected in late April as part of a campaign based on the sending of malicious emails in which threat actors posed as representatives of the World Health Organization (WHO). The hackers behind this campaign sent fewer than 100 emails, mainly to private companies in Italy, the UK and Spain.

As shown in the screenshot below the message comes from the email address, and includes attachments identified as who_covid19.rar with who_covid19.doc inside, covid19guide.rar with covid19guide.doc inside and covid-19.doc.

Attachments are described as Word documents loaded with macros. When macros are enabled, the document reveals information related to COVID-19. This is a lure similar to that employed by hacking groups in early 2020, the most critical moment of the pandemic.

When the target user downloads these documents, the infection is initiated on the affected system, which could lead to its total compromise.

Where did NerbianRAT come from?

Although at first the researchers did not have a great idea about Nerbia, although it took little time to discover that this was a literary reference. Nerbia is a fictional place described in the novel Don Quixote, with a war shield with a top of asparagus and a banner with the phrase “Try your luck”.

Many of the strings that refer to Nerbia were located in the complementary dropper (UpdateUAV.exe). There are no references to Nerbia in the RAT payload itself (MoUsoCore.exe).

The researchers mention that the dropper and rat were developed by the same threat actors and while the dropper can be modified to deliver other malicious payloads, this component is statically configured to download and set persistence for specific payloads, working that way at least until the time of Proofpoint’s research.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.