A beforehand undocumented distant entry trojan (RAT) written within the Go programming language has been noticed disproportionately focusing on entities in Italy, Spain, and the U.Ok.
Called Nerbian RAT by enterprise safety agency Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as a part of a low quantity email-borne phishing marketing campaign that began on April 26, 2022.
“The newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries,” Proofpoint researchers mentioned in a report shared with The Hacker News.
“It is written in operating system (OS) agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis.”
The messages, amounting to lower than 100 in quantity, purport to be from the World Health Organization about security measures associated to COVID-19, urging potential victims to open a macro-laced Microsoft Word doc to entry the “latest health advice.”
Enabling the macros shows COVID-19 steerage, together with steps for self-isolation, whereas within the background, the embedded macro triggers an an infection chain that delivers a payload known as “UpdateUAV.exe”, which acts as dropper for Nerbian RAT (“MoUsoCore.exe”) from a distant server.
The dropper additionally makes use of the open-source Chacal “anti-VM framework” to make reverse engineering tough, utilizing it to hold out anti-reversing checks and terminating itself ought to it encounter any debuggers or reminiscence evaluation applications.
The distant entry trojan, for its half, is supplied to log keystrokes, seize screenshots, and execute arbitrary instructions, earlier than exfiltrating the outcomes again to the server.
While each the dropper and the RAT are mentioned to have been developed by the identical creator, the identity of the menace actor stays unknown as but.
Furthermore, Proofpoint cautioned that the dropper may very well be personalized to ship totally different payloads in future assaults, though in its present type, it may possibly solely retrieve the Nerbian RAT.
“Malware authors continue to operate at the intersection of open-source capability and criminal opportunity,” Sherrod DeGrippo, vp of menace analysis and detection at Proofpoint, mentioned in a press release.