Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The stealthy, feature-rich malware has multistage evasion tactics to fly under the radar of security analysis, researchers at Proofpoint have found.

A newly discovered and complex remote access trojan (RAT) is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers, Proofpoint has found.

Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic Go programming language and “utilizes significant anti-analysis and anti-reversing capabilities”, according to a Proofpoint blog post published Wednesday.

The name appointed by Proofpoint researchers is based on a named function in the malware code and appears to be derived from “Nerbia,” a fictional place from the novel Don Quixote, researchers said.

Proofpoint researchers first observed the RAT being distributed in a low-volume email campaign beginning on April 26 in messages sent to multiple industries, mainly impacting organizations in Italy, Spain and the United Kingdom, they said.

“The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19,” researchers wrote, noting that the messages are a throwback to similar phishing campaigns that circulated in 2020 in the early days of the pandemic.

Sample emails shared in the post are sent from email addresses attempting to appear as if they coming from the WHO, such as who.inter.svc@gmail[.]com and announce@who-international[.]com, and use as their subject line WHO or World Health Organization.

The messages include safety measures related to COVID-19 as well as attachments that also include “covid19” in their names but are actually Word documents containing malicious macros.

When macros are enabled, the document reveals information relating to COVID-19 safety, specifically about self-isolation and caring for individuals with COVID-19. Macros-enablement also spurs the document to execute an embedded macro that drops a file that performs a PowerShell process to drop the Nerbian RAT dropper in a 64-bit executable file called UpdateUAV.exe written in Go, researchers wrote.

Go is becoming “an increasingly popular language used by threat actors, likely due to its lower barrier to entry and ease of use,” they noted.

The Nerbian RAT “leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries,” researchers wrote.

Indeed, the malware shows sophistication, working in three distinct phases. It starts with the aforementioned malicious document spread via phishing and then moves on, as described, to the UpdateUAV.exe dropper. The dropper performs various environment scans, such as anti-reversing and anti-VM checks, before executing the Nerbian RAT.

Eventually, the RAT itself is executed via an encrypted configuration file, with “extreme care” taken to ensure data to command-and-control (C&C) is encrypted by sending it over Secure Sockets Layer (SSL), which evades inspection by network-scanning tools, researchers observed.

In addition to communication with C&C, other typical RAT things that the malware can do include keylogging and screen capture, but with its own particular flair, they said. The RAT’s keylogger stores keystrokes in encrypted form, while its screen-capturing tool works across all OS platforms.

Perhaps the most complex evasion functionality in the three-stage process is what happens before the dropper executes the Nerbian RAT. The dropper performs an extensive vetting of the compromised host and will stop execution if it encounters any of a number of conditions, researchers aid.

These conditions include: the size of the hard disk on the system is less than a certain size, i.e., 100GB; the name of the hard disk, according to WMI , contains “virtual,” “vbox” or “vmware;” the MAC address queried returns certain OUI values; or if any of a number of reverse engineering/debugging programs are encountered in the process list, researchers said.

The dropper also halts execution if the DumpIt.exe, RAMMap.exe, RAMMap64.exe or vmmap.exe memory analysis/memory tampering programs are present in the process list; and if  the amount of time elapsed execution specific functions is deemed “excessive”—which would suggest debugging–by a time measurement function present in the dropper.

However, despite all this complexity to ensure the RAT isn’t detected on its way to a victim’s machine, “the dropper and the RAT itself do not employ heavy obfuscation outside of the sample being packed with UPX–which it can be argued isn’t necessarily for obfuscation, but to simply reduce the size of the executable,” researchers noted.

Researchers also found it easy to infer most of the functionality of both the RAT and the dropper due to the strings in the code referring to GitHub repositories that expose partial functionality of both the dropper and the RAT, they said.

An account promoting the project—which offers a range of threat activity from info-stealing to crypto-mining to ransomware as individual modules—has more than 500 subscribers.

Researchers discovered a simple malware builder designed to steal credentials, then pinging them to Discord webhooks.

Why a private college that stayed in business for 157 years had to close after the combo of COVID-19 and ransomware proved too much.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Join thousands of people who receive the latest breaking cybersecurity news every day.

Dell and HP are among the first to release patches and fixes for the bug, which affects the Intel Optane SSD and In… https://t.co/xcj1ixi8Ek

Get the latest breaking news delivered daily to your inbox.

The First Stop For Security News

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.