Nerbian RAT!

Researchers discovered a new malware written in the operating system- agnostic Go programming language that leverages COVID-19 and World Health Organization themes to spread.

Proofpoint researchers said the malware called a “Nerbian” RAT was named based on a function in the malware code. The Proofpoint researchers said the malware has primarily targeted organizations in Italy, Spain, and the United Kingdom. The Nerbian RAT is written in Go programming language, compiled for 64-bit systems, to make the malware multiplatform.

The emails contain a weaponized Word attachment, which is sometimes compressed with RAR. Upon enabling the macros, the document provided reveals information relating to COVID-19 safety, specifically about measures for the self-isolation of infected individuals.

The document contains logos from the Health Service Executive (HSE), the Government of Ireland, and the National Council for the Blind of Ireland (NCBI).

Once opened the document and enabled the macro, a bat file executes a PowerShell acting as a downloader for a Goland 64-bit dropper named “UpdateUAV.exe”.

The UpdateUAV executable is a dropper for the Nerbian RAT and borrows the code from various GitHub projects.

The Nerbian RAT supports a variety of different functions, such as logging keystrokes and capturing images of the screen, and handling communications over SSL.

Indicators Of Compromise

• ee1bbd856bf72a79221baa0f7e97aafb6051129905d62d74a37ae7754fccc3db 
• 1b8c9e7c150bacd466fbe7f12b39883821f23b67cae0a427a57dc37e5ea4390f
• 902c65435b6b44cfda1156b0e7c6a30b2785fa4f2cbb9b1944a66f5146ec7aa5
• www[.]fernandestechnical[.]com
• 185[.]121[.]139[.]249