Saturday, December 2, 2023

Nerbian RAT Malware Delivered Using Word Documents That Include Malicious Macro Code

There has been the discovery of a new remote access trojan called Nerbian RAT by the researchers at Proofpoint, which has a number of advanced features. There are a number of features included in this new RAT that helps it avoid analysis by researchers and detection as well.

Go is the programming language of this malware variant in which it’s written, and it means that it’s a cross-platform 64-bit threat. Since Go programming language has a low barrier to entry and is easy to use, it’s becoming increasingly popular among threat actors.

At present, the campaign is distributed via an email campaign on a small scale that entails attaching macros to document attachments.


Proofpoint researchers have observed an email-based malware campaign sent to multiple industries for the first time on April 26, 2022, and the entities that are disproportionately affected by the threat include:-

  • Italy
  • Spain
  • The United Kingdom

The emails purporting to provide information regarding COVID-19 were sent by an individual claiming to represent the WHO. 

While the indicators and attachments identified by Proofpoint researchers are as follows:-

From: who.inter.svc@gmail[.]com, announce@who-international[.]com

Subjects: WHO, World Health Organization

Attachment Names and Types: who_covid19.rar with who_covid19.doc inside, covid19guide.rar with covid19guide.doc inside, covid-19.doc

There is an attachment attached to the emails which have macros embedded in them. As a result of enabling macros, the document provides two specific information about COVID-19 safety:-

  • Self-isolation
  • Caring for COVID-19 patients

In order to download the malicious 64-bit dropper named “UpdateUAV.exe,” a malignant macro code must be open in Microsoft Office with the “enabled” preference set. After that, a batch file will run a PowerShell command to accomplish the process.

A scheduled task is created by the dropper that launches the RAT every hour as long as persistence is maintained by this scheduled task.

Summary of anti-analysis Tools Used

Here is a brief description of the tools that Proofpoint specifies as an anti-analysis tool:-

To determine whether or not the disk names in the WMI strings are valid, you should check the WMI strings.

Make sure that your hard drive size is lower than 100 GB since this is what is usually requested for virtual machine installations.

The process list should reveal if there are programs that assist in reverse engineering or debugging programs.

To detect whether an executable is currently under debugging, the IsDebuggerPresent API can be used.

The MAC address should be checked for any suspicious activity.

The process list should be checked for any memory detection or tampering detection programs that may exist.

You should check the number of hours since an application was executed and compare it with a threshold that you have set.

Nerbian RAT

As a part of the download, “MoUsoCore.exe” is used to save the trojan to the following location:- 

  • C:/ProgramData/USOShared/

While it can be configured with a number of functions, its operators can choose which functions to use. The main functions of this software are:- 

A keylogger tool: This tracks all keystrokes and stores them in an encrypted format.

A screen capturing tool: This is available for all operating systems.

In order to protect the confidentiality and integrity of all data exchanges, all communications with the C2 server are handled using SSL encryptors.

In spite of this, Nerbian RAT is not yet a major threat because it’s distributed via low-volume emails at the moment. Although this notion could change if its authors chose to reach out to the broader community of cybercriminals in order to expand their business.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles