Nerbian RAT

Nerbian RAT Description

Cybercriminals are continuing to use COVID-19 as a lure in their threatening campaigns. One such operation involves the dissemination of decoy emails carrying a malware-laced file attachment. The final payload in the infection chain of the attack is a previously unknown threat named Nerbian RAT. Details about the entire operation and the involved malware tools were released in a report by an enterprise security firm.

According to the findings of the cybersecurity experts, the attack campaign appears to be highly targeted, with most of the targets being from Italy, Spain and the United Kingdom. The lure emails claim to be from the World Health Organization (WHO) and contain instructions and safety measures related to COVID-19. Victims are urged to open the attached Microsoft Word document to see the 'latest health advice.'

To properly see the contents of the file, victims must enable macros on their system. Afterward, they would be presented with a document containing general steps regarding self-isolation and taking care of someone infected with COVID. This is just a decoy meant to occupy the attention of the victim while in the background of the system, the macros embedded into the document would deliver a payload file named 'UpdateUAV.exe.' It contains a dropper tasked with fetching and executing the Nerbian RAT from a remote server.

Threatening Functionality and C2 Communication

The Nerbian RAT is written in the system-agnostic GO programming language. It is compiled for 64-bit systems and demonstrates a significant focus on detection evasion. Experts identified multiple anti-analysis components that were spread across several different operational stages. The threat also leverages numerous open-source libraries.

Once fully deployed, Nerbian RAT can initiate keylogging routines, take arbitrary screenshots, execute commands on the system, and exfiltrate the accomplished results to the Command-and-Control infrastructure (C2, C&C) of the operation. The attackers can modify multiple different aspects of the threat, including which hosts it tries to communicate with, the frequency of the checks for C2 domains and IP addresses via keep-alive messages, the preferred working directory, the time frame for when the RAT is active and many others.

The Nerbian RAT has been observed using two types of network traffic. The first one is a simple heartbeat/keep-alive message to the C2. Any additional communication is carried over POST requests to the configured C2 domains and IP addresses. These requests carry a large amount of HTTP form data.