Novel ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks

The stealthy, feature-rich malware has multistage evasion tactics to fly under the radar of security analysis, researchers at Proofpoint have found.

A newly discovered and complex remote access trojan (RAT) is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers, Proofpoint has found.

Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic Go programming language and “utilizes significant anti-analysis and anti-reversing capabilities”, according to a Proofpoint blog post published Wednesday.

The name appointed by Proofpoint researchers is based on a named function in the malware code and appears to be derived from “Nerbia,” a fictional place from the novel Don Quixote, researchers said.

Proofpoint researchers first observed the RAT being distributed in a low-volume email campaign beginning on April 26 in messages sent to multiple industries, mainly impacting organizations in Italy, Spain and the United Kingdom, they said.

“The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19,” researchers wrote, noting that the messages are a throwback to similar phishing campaigns that circulated in 2020 in the early days of the pandemic.

Sample emails shared in the post are

Read More: