Nerbian RAT Malware Delivered Using Word Documents That Include Malicious Macro Code

There has been the discovery of a new remote access trojan called Nerbian RAT by the researchers at Proofpoint, which has a number of advanced features. There are a number of features included in this new RAT that helps it avoid analysis by researchers and detection as well.

Go is the programming language of this malware variant in which it’s written, and it means that it’s a cross-platform 64-bit threat. Since Go programming language has a low barrier to entry and is easy to use, it’s becoming increasingly popular among threat actors.

At present, the campaign is distributed via an email campaign on a small scale that entails attaching macros to document attachments.

Campaign

Proofpoint researchers have observed an email-based malware campaign sent to multiple industries for the first time on April 26, 2022, and the entities that are disproportionately affected by the threat include:-

• Italy
• Spain
• The United Kingdom

The emails purporting to provide information regarding COVID-19 were sent by an individual claiming to represent the WHO. 

While the indicators and attachments identified by Proofpoint researchers are as follows:-

From: who.inter.svc@gmail[.]com, announce@who-international[.]com

Subjects: WHO, World Health Organization

Attachment Names and Types: who_covid19.rar with who_covid19.doc inside, covid19guide.rar with covid19guide.doc inside, covid-19.doc

There is an attachment attached to the emails which have macros embedded in them. As a result of enabling macros, the document provides two specific information about COVID-19 safety:-

• Self-isolation
• Caring for COVID-19 patients

In order to download the malicious 64-bit dropper named “UpdateUAV.exe,” a malignant macro code must be open in Microsoft Office with the “enabled” preference set. After that, a batch file will run a PowerShell command to accomplish the process.

A scheduled task is created by the dropper that launches the RAT every hour as long as persistence is maintained by this scheduled task.

Summary of anti-analysis Tools Used

Here is a brief description of the tools that Proofpoint specifies as an anti-analysis tool:-

To determine whether or not the disk names in the WMI strings are valid, you should check the WMI strings.

Make sure that your hard drive size is lower than 100 GB since this is what is usually requested for virtual machine installations.

The process list should reveal if there are programs that assist in reverse engineering or debugging programs.

To detect whether an executable is currently under debugging, the IsDebuggerPresent API can be used.

The MAC address should be checked for any suspicious activity.

The process list should be checked for any memory detection or tampering detection programs that may exist.

You should check the number of hours since an application was executed and compare it with a threshold that you have set.

Nerbian RAT

As a part of the download, “MoUsoCore.exe” is used to save the trojan to the following location:- 

• C:/ProgramData/USOShared/

While it can be configured with a number of functions, its operators can choose which functions to use. The main functions of this software are:- 

A keylogger tool: This tracks all keystrokes and stores them in an encrypted format.

A screen capturing tool: This is available for all operating systems.

In order to protect the confidentiality and integrity of all data exchanges, all communications with the C2 server are handled using SSL encryptors.

In spite of this, Nerbian RAT is not yet a major threat because it’s distributed via low-volume emails at the moment. Although this notion could change if its authors chose to reach out to the broader community of cybercriminals in order to expand their business.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.