"Novel ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks"

Researchers at Proofpoint have discovered a stealthy, feature-rich malware that has multistage evasion tactics to fly under the radar of security analysis.  The newly discovered and complex remote access trojan (RAT) is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers.  Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic Go programming language and "utilizes significant anti-analysis and anti-reversing capabilities," according to Proofpoint.  Proofpoint researchers first observed the RAT being distributed in a low-volume email campaign beginning on April 26 in messages sent to multiple industries, mainly impacting organizations in Italy, Spain, and the United Kingdom.  The researchers noted that the emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19.  The messages include safety measures related to COVID-19 as well as attachments that also include "covid19" in their names but are actually Word documents containing malicious macros.  The researchers noted that when macros are enabled, the document reveals information relating to COVID-19 safety, specifically about self-isolation and caring for individuals with COVID-19.  Macros-enablement also spurs the document to execute an embedded macro that drops a file that performs a PowerShell process to drop the Nerbian RAT dropper in a 64-bit executable file called UpdateUAV.exe written in Go.  The researchers noted that Go is becoming an increasingly popular language used by threat actors, likely due to its lower barrier to entry and ease of use.  The researchers stated that the most complex evasion functionality in the three-stage process is what happens before the dropper executes the Nerbian RAT.  The dropper performs an extensive vetting of the compromised host and will stop execution if it encounters any of many conditions.  These conditions include: the size of the hard disk on the system is less than a certain size, i.e., 100GB; the name of the hard disk, according to WMI , contains "virtual," "vbox" or "vmware;" the MAC address queried returns certain OUI values; or if any of a number of reverse engineering/debugging programs are encountered in the process list.  The dropper also halts execution if the DumpIt.exe, RAMMap.exe, RAMMap64.exe, or vmmap.exe memory analysis/memory tampering programs are present in the process list; and if the amount of time elapsed execution specific functions is deemed "excessive."

Threatpost reports: "Novel ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks"