Wednesday, January 15, 2025
HomeCyber Security NewsNerbian RAT Malware Delivered Using Word Documents That Include Malicious Macro Code

Nerbian RAT Malware Delivered Using Word Documents That Include Malicious Macro Code

Published on

There has been the discovery of a new remote access trojan called Nerbian RAT by the researchers at Proofpoint, which has a number of advanced features. There are a number of features included in this new RAT that helps it avoid analysis by researchers and detection as well.

Go is the programming language of this malware variant in which it’s written, and it means that it’s a cross-platform 64-bit threat. Since Go programming language has a low barrier to entry and is easy to use, it’s becoming increasingly popular among threat actors.

At present, the campaign is distributed via an email campaign on a small scale that entails attaching macros to document attachments.

Campaign

Proofpoint researchers have observed an email-based malware campaign sent to multiple industries for the first time on April 26, 2022, and the entities that are disproportionately affected by the threat include:-

  • Italy
  • Spain
  • The United Kingdom

The emails purporting to provide information regarding COVID-19 were sent by an individual claiming to represent the WHO. 

While the indicators and attachments identified by Proofpoint researchers are as follows:-

From: who.inter.svc@gmail[.]com, announce@who-international[.]com

Subjects: WHO, World Health Organization

Attachment Names and Types: who_covid19.rar with who_covid19.doc inside, covid19guide.rar with covid19guide.doc inside, covid-19.doc

There is an attachment attached to the emails which have macros embedded in them. As a result of enabling macros, the document provides two specific information about COVID-19 safety:-

  • Self-isolation
  • Caring for COVID-19 patients

In order to download the malicious 64-bit dropper named “UpdateUAV.exe,” a malignant macro code must be open in Microsoft Office with the “enabled” preference set. After that, a batch file will run a PowerShell command to accomplish the process.

A scheduled task is created by the dropper that launches the RAT every hour as long as persistence is maintained by this scheduled task.

Summary of anti-analysis Tools Used

Here is a brief description of the tools that Proofpoint specifies as an anti-analysis tool:-

To determine whether or not the disk names in the WMI strings are valid, you should check the WMI strings.

Make sure that your hard drive size is lower than 100 GB since this is what is usually requested for virtual machine installations.

The process list should reveal if there are programs that assist in reverse engineering or debugging programs.

To detect whether an executable is currently under debugging, the IsDebuggerPresent API can be used.

The MAC address should be checked for any suspicious activity.

The process list should be checked for any memory detection or tampering detection programs that may exist.

You should check the number of hours since an application was executed and compare it with a threshold that you have set.

Nerbian RAT

As a part of the download, “MoUsoCore.exe” is used to save the trojan to the following location:- 

  • C:/ProgramData/USOShared/

While it can be configured with a number of functions, its operators can choose which functions to use. The main functions of this software are:- 

A keylogger tool: This tracks all keystrokes and stores them in an encrypted format.

A screen capturing tool: This is available for all operating systems.

In order to protect the confidentiality and integrity of all data exchanges, all communications with the C2 server are handled using SSL encryptors.

In spite of this, Nerbian RAT is not yet a major threat because it’s distributed via low-volume emails at the moment. Although this notion could change if its authors chose to reach out to the broader community of cybercriminals in order to expand their business.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

Hackers Exploiting Fortinet Zero-day Vulnerability In Wild To Gain Super-Admin Privileges

A critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products is being actively exploited...