Fake COVID Safety Emails Spreading Nerbian RAT Across Europe

Fake WHO Safety Emails on COVID-19 Dropping Nerbian RAT Across Europe

The novel Nerbian RAT (remote access trojan) is currently targeting’ entities in Spain, Italy, and the United Kingdom.

Proofpoint’s security researchers have warned users of a new RAT dubbed Nerbian written in the Go programming language and targeting entities in the UK, Italy, and Spain.

The malware name is based on its code, which bears references to the name of a fictional place in the novel Don Quixote.

“It is written in operating system (OS) agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis,” researchers wrote.

The RAT can log keystrokes, launch arbitrary commands, capture screenshots, and exfiltrate data to a remote C2 server. The threat actor behind this campaign is yet unknown.

How is Nerbian RAT Distributed?

Nerbian RAT is distributed through a phishing campaign using fake COVID-19 theme emails. The emails are less than 100 in number and are disguised to be sent by the World Health Organization regarding COVID-19 related safety measures.

Furthermore, victims are encouraged to open a macro-laced MS Word document to receive the latest health advice from the organization. Researchers further noted that the campaign has been active since 26 April 2022.

When the macros are enabled, a COVID-19 guide appears, informing the victim about self-isolation steps. However, in the background, the embedded macro commences an infection chain.

This chain, according to Proofpoint’s blog post, delivers, the UpdateUAV.exe payload, “a 64-bit executable, written in Golang, 3.5MB in size, and UPX packed,” researchers explained.

This file serves as a Nerbian dropper sent by a remote server. Research reveals that the same author designed the dropper and malware and that the dropper can also deliver different payloads in future campaigns.

Fake COVID Safety Emails Spreading Nerbian RAT Across Europe
Fake WHO email laced with Nerbian RAT (Credit: Proofpoint)

Nerbian loaded with Anti-Analysis Elements

Proofpoint researchers noted that this newly identified RAT comprises “multiple anti-analysis” components that come into play at various stages, such as in numerous open-source libraries.

The UpdateUAV.exe dropper uses the open-source anti-V framework, Chacal, to complicate reverse engineering and carry out anti-reversing checks or self-terminate if it detects debuggers or memory analysis programs.

More COVID Laced Malware Phishing Scams

  1. Feds seize fraud domain claiming to provide COVID-19 vaccine
  2. Fake COVID-19 test result email drops King Engine ransomware
  3. Hackers are actively targeting WHO amid the Coronavirus pandemic
  4. Fake Coronavirus vaccine, patients’ blood & saliva sold on the dark web
  5. Fake govt COVID-19 contact tracking app spreading Android ransomware
Related Posts