Nerbian RAT, a new remote access trojan, has recently been found by experts possessing advanced capabilities such as bypassing security detection and being analysed by security researchers. Written in the Go programming language, the new trojan is a cross-platform 64-bit threat spread through a small-scale phishing campaign using macro-laced documents.
The malware was discovered in a recent report impersonating the World Health Organization (WHO) and spreading COVID-19 information to its targeted victims. The malicious emails sent by the threat actors contained RAR attachments holding MS Word files injected with malicious macro code.
Once opened in a content-enabled MS Word file, a Windows BAT file will complete a PowerShell execution step to download a Go-written 64-bit dropper named ‘UpdateUAV.exe’. The UPX-packed dropper reuses code from different GitHub projects to create a stealthy set of features for the malware that can evade analysis and detection from security experts before the actual malware is launched.
Downloaded as ‘MoUsoCore.exe,’ the Nerbian RAT supports various functions allowing its threat operators to configure it using some of them.
Out of the many functions of the Nerbian RAT, two include a keylogger storing encrypted keystrokes; and a screen capturing device that runs on all OS platforms. The threat actors’ C2 communication is controlled through SLL to ensure that all data exchanges are secured and encrypted from potential AV analysis and other malware scanning tools.
The discovery of the Nerbian RAT proves that several sophisticated, stealthy, and complex malware strains still propagate in the cyber threat landscape. The new trojan was found focusing on its capabilities to hide from anti-virus solutions and evade being analysed by threat researchers.
This stealthiness is attained through the threat actors performing several process checks, communicating safely and slyly, alongside the ability to obfuscate their codes.
Nonetheless, experts verified that the spread of the Nerbian RAT currently campaigns through small-scale phishing operations. Even though the malware is not a dangerous threat yet, its developers could always decide to upgrade it or offer it to the underground market for wider use, thus, wider damage.
