New Nerbian RAT Malware Has Been Discovered in Continuous Attacks

 New Nerbian RAT Malware Has Been Discovered in Continuous Attacks

Researchers have discovered Nerbian RAT, a sophisticated remote access trojan. It comes with a long list of characteristics, including the capacity to escape detection and analysis. 

The new malware strain is written in Go, making it a cross-platform 64-bit threat, and it’s presently being spread via a small-scale email distribution operation, including macro-laced document attachments. The email campaigns were uncovered by Proofpoint analysts, who published a study on the new Nerbian RAT virus today. 

The Nerbian RAT malware campaign impersonates the World Health Organization (WHO), which is reportedly delivering COVID-19 information to the targets. When the RAR attachments are opened in Microsoft Office with content set to “enabled,” a bat file executes a PowerShell command to download a 64-bit dropper. The “UpdateUAV.exe” dropper is also written in Golang and compressed using UPX to keep the file size down. 

Before Nerbian RAT is deployed, UpdateUAV incorporates various anti-analysis and detection-evasion techniques by repurposing code from multiple GitHub projects. Aside from that, the dropper builds persistence by launching the RAT every hour through a scheduled task. The following is a collection of anti-analysis tools from Proofpoint: 

  • In the process list, check for any reverse engineering or debugging programs. 
  • Check for MAC addresses that are suspicious. 
  • Check the WMI strings to determine if the disk names are correct. 
  • Check if the hard disk is less than 100GB, which is usual for virtual machines. 
  • In the process list, check whether there are any memory analysis or tampering detection programs. 
  • Evaluate the amount of time that has passed since the execution and compare it to a preset limit. 
  • To see if the executable is being debugged, use the IsDebuggerPresent API. 

All of these checks make it nearly hard to execute the RAT in a sandboxed, virtualized environment, assuring malware operators’ long-term stealthiness. 

The trojan is stored to “C:\ProgramData\USOShared\” and is downloaded as “MoUsoCore.exe.” It may be configured with various functionalities, and its operators can choose which ones to use. Two of its significant features are a keylogger that records keystrokes in encrypted form and a screen capturing tool that works on all OS platforms. All data exchanges with the C2 server are secured and shielded from in-transit examination from network scanning programs thanks to SSL (Secure Sockets Layer). 

Without a doubt, Proofpoint has discovered a fascinating, complicated new malware that focuses on stealthiness via several checks, encrypted communications, and code obfuscation. Nerbian RAT is now disseminated through low-volume email campaigns, so it isn’t a major concern, but that might change if its creators decide to open up their company to the broader criminal community. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.