Friday, May 24, 2024

Nerbian RAT Malware Delivered Using Word Documents That Include Malicious Macro Code

There has been the discovery of a new remote access trojan called Nerbian RAT by the researchers at Proofpoint, which has a number of advanced features. There are a number of features included in this new RAT that helps it avoid analysis by researchers and detection as well.

Go is the programming language of this malware variant in which it’s written, and it means that it’s a cross-platform 64-bit threat. Since Go programming language has a low barrier to entry and is easy to use, it’s becoming increasingly popular among threat actors.

At present, the campaign is distributed via an email campaign on a small scale that entails attaching macros to document attachments.


Proofpoint researchers have observed an email-based malware campaign sent to multiple industries for the first time on April 26, 2022, and the entities that are disproportionately affected by the threat include:-

  • Italy
  • Spain
  • The United Kingdom

The emails purporting to provide information regarding COVID-19 were sent by an individual claiming to represent the WHO. 

While the indicators and attachments identified by Proofpoint researchers are as follows:-

From: who.inter.svc@gmail[.]com, announce@who-international[.]com

Subjects: WHO, World Health Organization

Attachment Names and Types: who_covid19.rar with who_covid19.doc inside, covid19guide.rar with covid19guide.doc inside, covid-19.doc

There is an attachment attached to the emails which have macros embedded in them. As a result of enabling macros, the document provides two specific information about COVID-19 safety:-

  • Self-isolation
  • Caring for COVID-19 patients

In order to download the malicious 64-bit dropper named “UpdateUAV.exe,” a malignant macro code must be open in Microsoft Office with the “enabled” preference set. After that, a batch file will run a PowerShell command to accomplish the process.

A scheduled task is created by the dropper that launches the RAT every hour as long as persistence is maintained by this scheduled task.

Summary of anti-analysis Tools Used

Here is a brief description of the tools that Proofpoint specifies as an anti-analysis tool:-

To determine whether or not the disk names in the WMI strings are valid, you should check the WMI strings.

Make sure that your hard drive size is lower than 100 GB since this is what is usually requested for virtual machine installations.

The process list should reveal if there are programs that assist in reverse engineering or debugging programs.

To detect whether an executable is currently under debugging, the IsDebuggerPresent API can be used.

The MAC address should be checked for any suspicious activity.

The process list should be checked for any memory detection or tampering detection programs that may exist.

You should check the number of hours since an application was executed and compare it with a threshold that you have set.

Nerbian RAT

As a part of the download, “MoUsoCore.exe” is used to save the trojan to the following location:- 

  • C:/ProgramData/USOShared/

While it can be configured with a number of functions, its operators can choose which functions to use. The main functions of this software are:- 

A keylogger tool: This tracks all keystrokes and stores them in an encrypted format.

A screen capturing tool: This is available for all operating systems.

In order to protect the confidentiality and integrity of all data exchanges, all communications with the C2 server are handled using SSL encryptors.

In spite of this, Nerbian RAT is not yet a major threat because it’s distributed via low-volume emails at the moment. Although this notion could change if its authors chose to reach out to the broader community of cybercriminals in order to expand their business.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles