Go to listing page

Nerbian RAT Spreads via Emails in Ongoing Attacks

Nerbian RAT Spreads via Emails in Ongoing Attacks
A RAT named Nerbian has been observed spreading via emails. Researchers have named the malware on the basis of a named function in the code of the malware and released a technical report on it.

Nerbian RAT

According to researchers from Proofpoint, the malware campaign is spreading Nerbian RAT by impersonating WHO.
  • Hackers pretend to be sending COVID-19 information to the targets.
  • Written in Go, it bears multiple features such as the ability to avoid detection and analysis.
  • The malicious emails have RAR attachments, which comprise Word documents loaded with malicious macro code.
  • When opened using Office with content set to enabled, a bat file downloads a 64-bit dropper using PowerShell.

Technical details

Nerbian RAT is downloaded as MoUsoCore[.]exe and is stored at C:\ProgramData\USOShared\location.
  • A Golang-based dropper, named UpdateUAV[.]exe, is used for attacks, packed in UPX to keep the file size manageable.
  • UpdateUAV reuses code from multiple GitHub projects to add different types of anti-analysis and detection-evasion mechanisms before Nerbian is deployed.
  • Apart from that, the dropper establishes persistence by creating a scheduled task and launching RAT every hour.
  • Additionally, the malware performs certain checks before being executed, making it impossible to run in a sandboxed, VM environment, and ensuring long-term stealthiness for the operators.

Capabilities of Nerbian

The RAT supports various functions, while its operators have the option to configure it with required functions only. 
  • It has a keylogger component that saves keystrokes in encrypted form, as well as a screen capturing tool that supports taking screenshots on all major OS platforms.
  • All the communications with the C2 server are handled over SSL. Due to this, all data exchanges are protected and encrypted to avoid in-transit inspection from network scanning tools.

Conclusion

Nerbian RAT is a complex malware that focuses on stealth with various checks and encrypted communications. At present, it is spread via low-volume email campaigns that could be changed in the future. Thus, deploy anti-phishing solutions and email gateways to stay protected.
Cyware Publisher

Publisher

Cyware

Previous

MSPs are at Huge Risk Of Cyberattacks - Warn Global Age ...

Threat Intel & Info Sharing

Next

Stealthy and Sophisticated BPFdoor Backdoor Stuns Resea ...

Malware and Vulnerabilities

RESOURCES
Cyber Fusion Center Guide
EVENTS
News and Updates, Hacker News

Get in touch with us now!

1-855-692-9927

Download Cyware Social App

Terms of Use Privacy Policy © 2023