A beforehand undocumented distant entry trojan (RAT) written within the Go programming language has been noticed disproportionately concentrating on entities in Italy, Spain, and the U.Okay.
Referred to as Nerbian RAT by enterprise safety agency Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as a part of a low quantity email-borne phishing marketing campaign that began on April 26, 2022.
“The newly recognized Nerbian RAT leverages a number of anti-analysis elements unfold throughout a number of phases, together with a number of open-source libraries,” Proofpoint researchers stated in a report shared with The Hacker Information.
“It’s written in working system (OS) agnostic Go programming language, compiled for 64-bit programs, and leverages a number of encryption routines to additional evade community evaluation.”
The messages, amounting to lower than 100 in quantity, purport to be from the World Well being Group about security measures associated to COVID-19, urging potential victims to open a macro-laced Microsoft Phrase doc to entry the “newest well being recommendation.”
Enabling the macros shows COVID-19 steering, together with steps for self-isolation, whereas within the background, the embedded macro triggers an an infection chain that delivers a payload known as “UpdateUAV.exe”, which acts as dropper for Nerbian RAT (“MoUsoCore.exe”) from a distant server.
The dropper additionally makes use of the open-source Chacal “anti-VM framework” to make reverse engineering tough, utilizing it to hold out anti-reversing checks and terminating itself ought to it encounter any debuggers or reminiscence evaluation applications.
The distant entry trojan, for its half, is provided to log keystrokes, seize screenshots, and execute arbitrary instructions, earlier than exfiltrating the outcomes again to the server.
Whereas each the dropper and the RAT are stated to have been developed by the identical creator, the id of the menace actor stays unknown as but.
Moreover, Proofpoint cautioned that the dropper could possibly be personalized to ship totally different payloads in future assaults, though in its present kind, it will probably solely retrieve the Nerbian RAT.
“Malware authors proceed to function on the intersection of open-source functionality and felony alternative,” Sherrod DeGrippo, vice chairman of menace analysis and detection at Proofpoint, stated in a press release.