New stealthy Nerbian RAT malware spotted in ongoing attacks, Malware, Nerbian RAT, Remote Access Trojan, Trojan

A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers.

The new malware variant is written in Go, making it a cross-platform 64-bit threat, and it’s currently distributed via a small-scale email distribution campaign that uses document attachments laced with macros.

The email campaigns were discovered by researchers at Proofpoint, who released a report today on the new Nerbian RAT malware.

Impersonating the WHO

The malware campaign distributing Nerbian RAT impersonates the World Health Organization (WHO), which is allegedly sending COVID-19 information to the targets.

New stealthy Nerbian RAT malware spotted in ongoing attacks, Malware, Nerbian RAT, Remote Access Trojan, Trojan

Phishing email seen in the latest campaign (Proofpoint)

The RAR attachments contain Word documents laced with malicious macro code, so if opened on Microsoft Office with content set to “enabled,” a bat file performs a PowerShell execution step to download a 64-bit dropper.

The dropper, named “UpdateUAV.exe,” is also written in Golang and is packed in UPX to keep the size manageable.

UpdateUAV reuses code from various GitHub projects to incorporate a rich set of anti-analysis and detection-evasion mechanisms before Nerbian RAT is deployed.

Apart from that, the dropper also establishes persistence by creating a scheduled task that launches that RAT every hour.

Proofpoint summarizes the list of anti-analysis tools as follows:

  • Check for the existence of reverse engineering or debugging programs in the process list
  • Check for suspicious MAC addresses
  • Check the WMI strings to see if disk names are legitimate
  • Check if the hard disk size is below 100GB, which is typical for virtual machines
  • Check if there are any memory analysis or tampering detection programs present in the process list
  • Check the amount of time elapsed since execution and compare it with a set threshold
  • Use the IsDebuggerPresent API to determine if the executable is being debugged

All these checks make it practically impossible to get the RAT running in a sandboxed, virtualized environment, ensuring long-term stealthiness for the malware operators.

Nerbian RAT features

The trojan is downloaded as “MoUsoCore.exe” and is saved to “C:ProgramDataUSOShared”. It supports several functions, while its operators have the option to configure it with some of them.

Two of its notable functions are a keylogger that stores keystrokes in encrypted form and a screen capturing tool that works on all OS platforms.

Communications with the C2 server are handled over SSL (Secure Sockets Layer), so all data exchanges are encrypted and protected from in-transit inspection from network scanning tools.

New stealthy Nerbian RAT malware spotted in ongoing attacks, Malware, Nerbian RAT, Remote Access Trojan, Trojan

The complete infection process (Proofpoint)

To keep an eye on

Without a doubt, Proofpoint has spotted an interesting, complex new malware that focuses on stealthiness through numerous checks, encrypted communications, and code obfuscation.

For now, though, Nerbian RAT is distributed via low-volume email campaigns, so it’s not a massive threat yet, but this could change if its authors decide to open up their business to the broader cybercrime community.

TECH NEWS RELATED

Controlling stake in Arm China may shift to little-known entity as chip joint venture’s ownership saga drags on

Arm China, which has just ended a boardroom bust-up by ousting its former chairman, may end up in the hands of an entity that has little or no public profile, adding a layer of mystery to the British chip design firm’s joint venture. In a press release distributed to ...

View more: Controlling stake in Arm China may shift to little-known entity as chip joint venture’s ownership saga drags on

Apple Watch Series 6 is $130 off on Amazon

Only the 40mm GPS variant in the Product(RED) colourway is currently discounted

View more: Apple Watch Series 6 is $130 off on Amazon

You can silence a Family’s Member iPhone Alarm with your own iPhone

Are you living in a family household, where everyone has a smartphone belonging to Apple’s iPhone ecosystem? This may not be common in some markets. However, it’s pretty much the standard in places where iPhones take the lead in the segment. In special, we have the US, Apple’s stronghold. If ...

View more: You can silence a Family’s Member iPhone Alarm with your own iPhone

Kia and Rafa Nadal launch ‘Kia Clubhouse’ initiative to inspire next generation of tennis fans

Global tennis experience aimed at making tennis more accessible Launch event in Paris gives local children skills and equipment to empower a lifelong love for the game Kia ambassador Rafa Nadal makes surprise appearance to inspire children The initiative will tour major cities around the world ahead of upcoming ...

View more: Kia and Rafa Nadal launch ‘Kia Clubhouse’ initiative to inspire next generation of tennis fans

Syphon Filter Will Have a Platinum Trophy When Released on PS Plus Premium

When the list of games was announced for the upcoming PS Plus Premium tier, Sony mentioned that these games would be coming with new features. One of those features that weren’t mentioned at the time was trophies. However, Bend Studio has confirmed Syphon Filter will not only have a ...

View more: Syphon Filter Will Have a Platinum Trophy When Released on PS Plus Premium

Canada to ban Huawei and ZTE and tell telcos to rip out 5G and 4G equipment

While taking longer to ban Huawei and ZTE than some of the Five Eyes, Canada has also gone further by requiring telcos to rip out LTE equipment from the vendors by the start of 2028.

View more: Canada to ban Huawei and ZTE and tell telcos to rip out 5G and 4G equipment

Subaru Impreza WRX ‘P25’ teased by Prodrive

Subaru Impreza teaser hints Prodrive will honour the 25th anniversary of its first WRC-regulation WRC car with an extra-special machine. Legendary British motorsport company Prodrive is once again turning its attention to the Subaru Impreza with an online post hinting at a project involving the first-generation version of the ...

View more: Subaru Impreza WRX ‘P25’ teased by Prodrive

Conti ransomware shuts down operation, rebrands into smaller units

The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more. This news comes from Advanced Intel’s Yelisey Boguslavskiy, who tweeted this afternoon that the gang’s internal infrastructure was turned off. Boguslavskiy told BleepingComputer that ...

View more: Conti ransomware shuts down operation, rebrands into smaller units

Mastercard will soon allow you to pay with a smile

2023 BMW M4 CSL: A 543-HP Lightweight Tribute to M's Glory Days

BMW's M 1000 RR 50 Years M Superbike Has a Long Name and 212 HP

Viral TikTok shows a new iPhone trick that Instagram fans will love

SsangYong Torres confirmed, planned for Australia

Thai, Japanese animation rooted in nationalism

New emergency warning over two new VMware vulnerabilities

Java concurrency could be about to get easier

Cisco problems: $15B backlog, China COVID worries, impact of war in Ukraine

UnicornDAO Raises $4.5 Million to Support Women and LGBTQ+ Artists

Netgear fixes bad Orbi firmware update that locked admin console

Epic Games kicks off its mega sale by offering Borderlands 3 for free

OTHER TECH NEWS

Top Car News Car News