Security News > 2022 > May > Novel ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks
A newly discovered and complex remote access trojan is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers, Proofpoint has found.
Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic Go programming language and "Utilizes significant anti-analysis and anti-reversing capabilities", according to a Proofpoint blog post published Wednesday.
The name appointed by Proofpoint researchers is based on a named function in the malware code and appears to be derived from "Nerbia," a fictional place from the novel Don Quixote, researchers said.
The Nerbian RAT "Leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries," researchers wrote.
The dropper performs various environment scans, such as anti-reversing and anti-VM checks, before executing the Nerbian RAT. Eventually, the RAT itself is executed via an encrypted configuration file, with "Extreme care" taken to ensure data to command-and-control is encrypted by sending it over Secure Sockets Layer, which evades inspection by network-scanning tools, researchers observed.
Perhaps the most complex evasion functionality in the three-stage process is what happens before the dropper executes the Nerbian RAT. The dropper performs an extensive vetting of the compromised host and will stop execution if it encounters any of a number of conditions, researchers aid.