NerbianRAT Trojan Spreads via Emails

Researchers have noticed a RAT (remote access trojan) dubbed NerbianRAT being distributed via emails. Its name comes from a malware code function’s name.

NerbianRAT: How It Is Distributed

Researchers from Proofpoint have recently published a report providing details about NerbianRAT.

The malicious emails spreading this malware impersonate the World Health Organization (WHO) assuming to send targets COVID-19 information. The emails include RAR attachments that encompass malicious macro code within the Word document found in the RAR archives. What happens when the victim opens Word and enables the content is that a 64-bit droppe will be downloaded by means of a Powershell.

This is what the Word document from the phishing email would look like, as shown in the report:

Source of the Images

Technical Features of NerbianRAT

The malware is written in GO programming language packed with capabilities to bypass detection and analysis.

The newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries. It is written in operating system (OS) agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis. Go is an increasingly popular language used by threat actors, likely due to

Read More: