The previously undocumented Remote Access Trojan (RAT), written in the Go programming language, has been seen to be disproportionately targeted at entities in Italy, Spain and the UK.
Called Nerb rat by the enterprise security company Proofpoint, a new malware uses COVID-19-based baits to spread as part of a small-scale phishing campaign that began on April 26, 2022.
“Level-identified Nerbian RAT uses a variety of anti-analysis components in several stages, including several open source libraries,” said Proofpoint researchers. said in a report summarized from The Hacker News.
“It’s written in the Go-independent programming language (OS), compiled for 64-bit systems and uses multiple encryption procedures to further avoid network analysis.”
Reports of less than 100, allegedly from the World Health Organization, on security measures related to COVID-19, and urge potential victims to open a Microsoft Word document with a macro link to access “the latest health advice.”
The inclusion of macros reflects COVID-19 guidelines, including steps for self-isolation, while in the background the built-in macro launches an infection chain that delivers a payload called “UpdateUAV.exe” that acts as a dropper for Nerso RATore (Mo .exe “) from a remote server.
The dropper also uses open source Waiting an “anti-VM framework” to make reverse engineering difficult, using it to conduct reverse checks and stopping yourself if it encounters any debuggers or memory analysis programs.
The remote access Trojan, for its part, is equipped to record keystrokes, screenshots and execute arbitrary commands before throwing the results back to the server.
Although both the dropper and the RAT were developed by the same author, the identity of the subject of the threat remains unknown.
In addition, Proofpoint warned that the dropper could be configured to transmit various payloads in future attacks, although in its current form it can only receive Nerbian RAT.
“The authors of the malware continue to work at the intersection of open source capabilities and criminal capabilities,” said Sherrod DeGrip, vice president of threat research and detection at Proofpoint.