New stealthy Nerbian RAT malware spotted in ongoing attacks


A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers.

The new malware variant is written in Go, making it a cross-platform 64-bit threat, and it’s currently distributed via a small-scale email distribution campaign that uses document attachments laced with macros.

The email campaigns were discovered by researchers at Proofpoint, who released a report today on the new Nerbian RAT malware.

Impersonating the WHO

The malware campaign distributing Nerbian RAT impersonates the World Health Organization (WHO), which is allegedly sending COVID-19 information to the targets.

Phishing email seen in the latest campaign
Phishing email seen in the latest campaign (Proofpoint)

The RAR attachments contain Word documents laced with malicious macro code, so if opened on Microsoft Office with content set to “enabled,” a bat file performs a PowerShell execution step to download a 64-bit dropper.

The dropper, named “UpdateUAV.exe,” is also written in Golang and is packed in UPX to keep the size manageable.

UpdateUAV reuses code from various GitHub projects to incorporate a rich set of anti-analysis and detection-evasion mechanisms before Nerbian RAT is deployed.

Apart from that, the dropper also establishes persistence by creating a scheduled task that launches that RAT every hour.

Proofpoint summarizes the list of anti-analysis tools as follows:

  • Check for the existence of reverse engineering or debugging programs in the process list
  • Check for suspicious MAC addresses
  • Check the WMI strings to see if disk names are legitimate
  • Check if the hard disk size is below 100GB, which is typical for virtual machines
  • Check if there are any memory analysis or tampering detection programs present in the process list
  • Check the amount of time elapsed since execution and compare it with a set threshold
  • Use the IsDebuggerPresent API to determine if the executable is being debugged

All these checks make it practically impossible to get the RAT running in a sandboxed, virtualized environment, ensuring long-term stealthiness for the malware operators.

Nerbian RAT features

The trojan is downloaded as “MoUsoCore.exe” and is saved to…