Security News > 2022 > May > Researchers Warn of Nerbian RAT Targeting Entities in Italy, Spain, and the U.K.

Researchers Warn of Nerbian RAT Targeting Entities in Italy, Spain, and the U.K.
2022-05-13 22:17

A previously undocumented remote access trojan written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K. Called Nerbian RAT by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign that started on April 26, 2022.

"The newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries," Proofpoint researchers said in a report shared with The Hacker News.

"It is written in operating system agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis."

Enabling the macros displays COVID-19 guidance, including steps for self-isolation, while in the background, the embedded macro triggers an infection chain that delivers a payload called "UpdateUAV.exe", which acts as dropper for Nerbian RAT from a remote server.

While both the dropper and the RAT are said to have been developed by the same author, the identity of the threat actor remains unknown as yet.

Proofpoint cautioned that the dropper could be customized to deliver different payloads in future attacks, although in its current form, it can only retrieve the Nerbian RAT. "Malware authors continue to operate at the intersection of open-source capability and criminal opportunity," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said in a statement.

News URL