This New Go Malware Is Wreaking Havoc Wherever It Goes

This New Go Malware Is Wreaking Havoc Wherever It Goes

According to researchers, a completely new remote access trojan (RAT) with a plethora of features distributed through the old-fashioned Office macro method has recently been discovered in the wild.

Proofpoint researchers have uncovered malware known as Nerbian RAT, a cross-platform 64-bit product built in Golang. It has many features, including those that are designed to avoid being discovered and examined.

Nerbian NAT

The novel coronavirus remains a bait too seductive to resist for cyber thieves, who continue to use it in their phishing attempts two years after the initial wave of the Covid-19 outbreak.

Proofpoint researchers have identified a new malware called Nerbian RAT that uses Covid-19 lures. Nerbia is a mythical location in Miguel de Cervantes' Don Quixote. A reference to it is incorporated in the virus's code.

Nerbian RAT's lures represent the World Health Organization (WHO) and promise to provide crucial information on Covid-19. It has been used in a low-volume email-borne campaign targeting individuals in Italy, Spain, and the United Kingdom. The Health Service Executive (HSE), the Irish ministry, and the National Council for the Blind of Ireland are all represented on the lure (NCBI).

malware

What Did It Do?

The threat actor has launched a small-scale email campaign pretending to be the World Health Organization (WHO). The email contains a Word document with a macro that contains phony Covid-19 information. The macro will install a 64-bit dropper if it is enabled.

The dropper is called "UpdateUAV.exe," which has anti-detection and anti-analysis capabilities. These were apparently "stolen" from several GitHub projects. A scheduled process that starts the RAT every hour helps the dropper establish persistence.

"MoUsoCore.exe" is the trojan's name, which is dumped into the C: ProgramDataUSOShared folder. A keylogger that stores everything it logs in encrypted form, and a screenshotting tool for all operating systems are among the standard features.

"The emails purported to be from the World Health Organization (WHO) and contained critical information about COVID-19," researchers stated. They noted that the emails flashback to previous phishing campaigns that circulated in the early days of the pandemic in 2020.

The malware is sophisticated, with three distinct phases of operation. It starts with the phishing-spread malicious document and then moves to the UpdateUAV.exe dropper, as indicated. Before launching the Nerbian RAT, the dropper runs numerous environment scans, including anti-reversing and anti-VM checks.

malware

What happens before the dropper launches the Nerbian RAT is maybe the most advanced evasive functionality in the three-stage procedure. According to researchers, the dropper undertakes rigorous vetting of the compromised host. It will halt execution if it finds any of a variety of criteria.

However, despite all this complexity to ensure the RAT isn’t detected on its way to a victim’s machine, “the dropper and the RAT itself do not employ heavy obfuscation outside of the sample being packed with UPX–which it can be argued isn’t necessarily for obfuscation, but to simply reduce the size of the executable.” 

5
1 ratings
Jessica Vieira
WRITTEN BY
Jessica Vieira
Jessica Vieira is ProductReviews's senior media reporter, covering the intersection of entertainment and technology.

Advertisement

Advertisement