A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers.
The new malware variant is written in Go, making it a cross-platform 64-bit threat, and it’s currently distributed via a small-scale email distribution campaign that uses document attachments laced with macros.
The email campaigns were discovered by researchers at Proofpoint, who released a report today on the new Nerbian RAT malware.
Impersonating the WHO
The malware campaign distributing Nerbian RAT impersonates the World Health Organization (WHO), which is allegedly sending COVID-19 information to the targets.
The RAR attachments contain Word documents laced with malicious macro code, so if opened on Microsoft Office with content set to “enabled,” a bat file performs a PowerShell execution step to download a 64-bit dropper.
The dropper, named “UpdateUAV.exe,” is also written in Golang and is packed in UPX to keep the size manageable.
UpdateUAV reuses code from various GitHub projects to incorporate a rich set of anti-analysis and detection-evasion mechanisms before Nerbian RAT is deployed.
Apart from that, the dropper also establishes persistence by creating a scheduled task that launches that RAT every hour.
Proofpoint summarizes the list of anti-analysis tools as follows:
- Check for the existence of reverse engineering or debugging programs in the process list
- Check for suspicious MAC addresses
- Check the WMI strings to see if disk names are legitimate
- Check if the hard disk size is below 100GB, which is typical for virtual machines
- Check if there are any memory analysis or tampering detection programs present in the process list
- Check the amount of time elapsed since execution and compare it with a set threshold
- Use the IsDebuggerPresent API to determine if the executable is being debugged
All these checks make it practically impossible to get the RAT running in a sandboxed, virtualized environment, ensuring long-term stealthiness for the malware operators.
Nerbian RAT features
The trojan is downloaded as “MoUsoCore.exe” and is saved to “C:\ProgramData\USOShared\”. It supports several functions, while its operators have the option to configure it with some of them.
Two of its notable functions are a keylogger that stores keystrokes in encrypted form and a screen capturing tool that works on all OS platforms.
Communications with the C2 server are handled over SSL (Secure Sockets Layer), so all data exchanges are encrypted and protected from in-transit inspection from network scanning tools.
To keep an eye on
Without a doubt, Proofpoint has spotted an interesting, complex new malware that focuses on stealthiness through numerous checks, encrypted communications, and code obfuscation.
For now, though, Nerbian RAT is distributed via low-volume email campaigns, so it’s not a massive threat yet, but this could change if its authors decide to open up their business to the broader cybercrime community.