Thursday, March 28, 2024

Nerbian RAT Malware Delivered Using Word Documents That Include Malicious Macro Code

There has been the discovery of a new remote access trojan called Nerbian RAT by the researchers at Proofpoint, which has a number of advanced features. There are a number of features included in this new RAT that helps it avoid analysis by researchers and detection as well.

Go is the programming language of this malware variant in which it’s written, and it means that it’s a cross-platform 64-bit threat. Since Go programming language has a low barrier to entry and is easy to use, it’s becoming increasingly popular among threat actors.

At present, the campaign is distributed via an email campaign on a small scale that entails attaching macros to document attachments.

Campaign

Proofpoint researchers have observed an email-based malware campaign sent to multiple industries for the first time on April 26, 2022, and the entities that are disproportionately affected by the threat include:-

  • Italy
  • Spain
  • The United Kingdom

The emails purporting to provide information regarding COVID-19 were sent by an individual claiming to represent the WHO. 

While the indicators and attachments identified by Proofpoint researchers are as follows:-

From: who.inter.svc@gmail[.]com, announce@who-international[.]com

Subjects: WHO, World Health Organization

Attachment Names and Types: who_covid19.rar with who_covid19.doc inside, covid19guide.rar with covid19guide.doc inside, covid-19.doc

There is an attachment attached to the emails which have macros embedded in them. As a result of enabling macros, the document provides two specific information about COVID-19 safety:-

  • Self-isolation
  • Caring for COVID-19 patients

In order to download the malicious 64-bit dropper named “UpdateUAV.exe,” a malignant macro code must be open in Microsoft Office with the “enabled” preference set. After that, a batch file will run a PowerShell command to accomplish the process.

A scheduled task is created by the dropper that launches the RAT every hour as long as persistence is maintained by this scheduled task.

Summary of anti-analysis Tools Used

Here is a brief description of the tools that Proofpoint specifies as an anti-analysis tool:-

To determine whether or not the disk names in the WMI strings are valid, you should check the WMI strings.

Make sure that your hard drive size is lower than 100 GB since this is what is usually requested for virtual machine installations.

The process list should reveal if there are programs that assist in reverse engineering or debugging programs.

To detect whether an executable is currently under debugging, the IsDebuggerPresent API can be used.

The MAC address should be checked for any suspicious activity.

The process list should be checked for any memory detection or tampering detection programs that may exist.

You should check the number of hours since an application was executed and compare it with a threshold that you have set.

Nerbian RAT

As a part of the download, “MoUsoCore.exe” is used to save the trojan to the following location:- 

  • C:/ProgramData/USOShared/

While it can be configured with a number of functions, its operators can choose which functions to use. The main functions of this software are:- 

A keylogger tool: This tracks all keystrokes and stores them in an encrypted format.

A screen capturing tool: This is available for all operating systems.

In order to protect the confidentiality and integrity of all data exchanges, all communications with the C2 server are handled using SSL encryptors.

In spite of this, Nerbian RAT is not yet a major threat because it’s distributed via low-volume emails at the moment. Although this notion could change if its authors chose to reach out to the broader community of cybercriminals in order to expand their business.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles