Nerbian RAT Detection: Novel Trojan That Leverages Covid-19 Lures to Target European Users

Another day, another RAT is sniffing its way into systems of hackers’ interest. This time the trojan called Nerbian RAT is in the limelight, leveraging Covid-19 and World’s Health Organization lures to proceed with targeted attacks against users in Italy, Spain, and the UK. The newly-discovered threat is written in Go, making the malware OS-agnostic and able to target both Windows and Linux users.

Detect Nerbian RAT

Detect the possible scheduled task creation of ‘Nerbian’ with a SIgma-based rule developed by seasoned Threat Bounty Program detection engineer Kyaw Pyiyt Htet:

Possible ‘Nerbian’ RAT Scheduled Task Creation (via Cmdline)

The detection is available for the 23 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Scheduled Task/Job (T1053, T1053.005) as the main technique.

SOC Prime enables threat hunters to streamline resources, offering real-time threat detection content. Our collection of rules has 185,000+ unique detections, with 140+ new detection items added each month. The View Detections button will take you to the oasis of community-driven Sigma and YARA rules that will help you to advance the progress of your SOC operations.

View Detections Join Threat Bounty

Nerbian RAT Description

According to the in-depth inquiry by Proofpoint, Nerbian remote access Trojan is a novel, sophisticated malware powered by impressive evasive capabilities. The Trojan is written in the Go programming language and uses various open-source Go libraries to conduct malicious actions. Such a trick makes Nerbian a multi-purpose tool able to target all major operating systems. In addition to cross-OS and anti-analysis capabilities, the RAT supports a plea of other malicious functions such as keylogging, screen capturing, and SSL-based C2 communications.

In this campaign, Nerbian RAT’s operators mimic the World Health Organization (WHO), sending out bogus alerts regarding COVID-19-related self-isolation procedures. The emails distributed in this spam campaign contain a Microsoft Word document with macros. When enabled, it fetches a 64-bit Nerbian RAT’s dropper.

The security analyst first detected the email-borne malware campaign in late April 2022. Currently, the volume of the campaign distributing Nerbian RAT malware is considered rather insignificant; however, the analysts from Proofpoint warn that the strain is technically sophisticated and possesses ample malicious potential. So all evidence to Nerbian RAT has already gotten off to a good start in this short time.

Join SOC Prime’s Detection as Code platform to unlock access to the world’s largest live pool of detection content created by the industry leaders to boost the security of your environment. SOC Prime, headquartered in Boston, US, is powered by an international team of seasoned SOC experts dedicated to enabling collaborative cyber defense. Withstand attacks more efficiently with SOC Prime.