Researchers have discovered Nerbian RAT, a sophisticated remote access trojan. It comes with a long list of characteristics, including the capacity to escape detection and analysis.
The new malware strain is written in Go, making it a cross-platform 64-bit threat, and it’s presently being spread via a small-scale email distribution operation, including macro-laced document attachments. The email campaigns were uncovered by Proofpoint analysts, who published a study on the new Nerbian RAT virus today.
The Nerbian RAT malware campaign impersonates the World Health Organization (WHO), which is reportedly delivering COVID-19 information to the targets. When the RAR attachments are opened in Microsoft Office with content set to “enabled,” a bat file executes a PowerShell command to download a 64-bit dropper. The “UpdateUAV.exe” dropper is also written in Golang and compressed using UPX to keep the file size down.
Before Nerbian RAT is deployed, UpdateUAV incorporates various anti-analysis and detection-evasion techniques by repurposing code from multiple GitHub projects. Aside from that, the dropper builds persistence by launching the RAT every hour through a scheduled task. The following is a collection of anti-analysis tools from Proofpoint:
- In the process list, check for any reverse engineering or debugging programs.
- Check for MAC addresses that are suspicious.
- Check the WMI strings to determine if the disk names are correct.
- Check if the hard disk is less than 100GB, which is usual for virtual machines.
- In the process list, check whether there are any memory analysis or tampering detection programs.
- Evaluate the amount of time that has passed since the execution and compare it to a preset limit.
- To see if the executable is being debugged, use the IsDebuggerPresent API.
All of these checks make it nearly hard to execute the RAT in a sandboxed, virtualized environment, assuring malware operators’ long-term stealthiness.
The trojan is stored to “C:\ProgramData\USOShared\” and is downloaded as “MoUsoCore.exe.” It may be configured with various functionalities, and its operators can choose which ones to use. Two of its significant features are a keylogger that records keystrokes in encrypted form and a screen capturing tool that works on all OS platforms. All data exchanges with the C2 server are secured and shielded from in-transit examination from network scanning programs thanks to SSL (Secure Sockets Layer).
Without a doubt, Proofpoint has discovered a fascinating, complicated new malware that focuses on stealthiness via several checks, encrypted communications, and code obfuscation. Nerbian RAT is now disseminated through low-volume email campaigns, so it isn’t a major concern, but that might change if its creators decide to open up their company to the broader criminal community.
