A newly discovered and complex remote access trojan (RAT) is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers, Proofpoint has found.
Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic Go programming language and “utilizes significant anti-analysis and anti-reversing capabilities”, according to a Proofpoint blog post published Wednesday.
The name appointed by Proofpoint researchers is based on a named function in the malware code and appears to be derived from “Nerbia,” a fictional place from the novel Don Quixote, researchers said.
Proofpoint researchers first observed the RAT being distributed in a low-volume email campaign beginning on April 26 in messages sent to multiple industries, mainly impacting organizations in Italy, Spain and the United Kingdom, they said.
“The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19,” researchers wrote, noting that the messages are a throwback to similar phishing campaigns that circulated in 2020 in the early days of the pandemic.
Sample emails shared in the post are sent from email addresses attempting to appear as if they coming from the WHO, such as who.inter.svc@gmail[.]com and announce@who-international[.]com, and use as their subject line WHO or World Health Organization.
The messages include safety measures related to COVID-19 as well as attachments that also include “covid19” in their names but are actually Word documents containing malicious macros.
When macros are enabled, the document reveals information relating to COVID-19 safety, specifically about self-isolation and caring for individuals with COVID-19. Macros-enablement also spurs the document to execute an embedded macro that drops a file that performs a PowerShell process to drop the Nerbian RAT dropper in a 64-bit executable file called UpdateUAV.exe written in Go, researchers wrote.
Go is becoming “an increasingly popular language used by threat actors, likely due to its lower barrier to entry and ease of use,” they noted.
Complexity and Evasion
The Nerbian RAT “leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries,” researchers wrote.
Indeed, the malware shows sophistication, working in three distinct phases. It starts with the aforementioned malicious document spread via phishing and then moves on, as described, to the UpdateUAV.exe dropper. The dropper performs various environment scans, such as anti-reversing and anti-VM checks, before executing the Nerbian RAT.
Eventually, the RAT itself is executed via an encrypted configuration file, with “extreme care” taken to ensure data to command-and-control (C&C) is encrypted by sending it over Secure Sockets Layer (SSL), which evades inspection by network-scanning tools, researchers observed.
In addition to communication with C&C, other typical RAT things that the malware can do include keylogging and screen capture, but with its own particular flair, they said. The RAT’s keylogger stores keystrokes in encrypted form, while its screen-capturing tool works across all OS platforms.
Extreme Vetting
Perhaps the most complex evasion functionality in the three-stage process is what happens before the dropper executes the Nerbian RAT. The dropper performs an extensive vetting of the compromised host and will stop execution if it encounters any of a number of conditions, researchers aid.
These conditions include: the size of the hard disk on the system is less than a certain size, i.e., 100GB; the name of the hard disk, according to WMI , contains “virtual,” “vbox” or “vmware;” the MAC address queried returns certain OUI values; or if any of a number of reverse engineering/debugging programs are encountered in the process list, researchers said.
The dropper also halts execution if the DumpIt.exe, RAMMap.exe, RAMMap64.exe or vmmap.exe memory analysis/memory tampering programs are present in the process list; and if the amount of time elapsed execution specific functions is deemed “excessive”—which would suggest debugging–by a time measurement function present in the dropper.
However, despite all this complexity to ensure the RAT isn’t detected on its way to a victim’s machine, “the dropper and the RAT itself do not employ heavy obfuscation outside of the sample being packed with UPX–which it can be argued isn’t necessarily for obfuscation, but to simply reduce the size of the executable,” researchers noted.
Researchers also found it easy to infer most of the functionality of both the RAT and the dropper due to the strings in the code referring to GitHub repositories that expose partial functionality of both the dropper and the RAT, they said.