Two years since the first wave of the Covid-19 pandemic, and the novel coronavirus remains a lure too tempting to resist for cyber criminals, who continue to press it into service in their phishing campaigns.
One newly discovered malware using Covid-19 lures has been named Nerbian RAT – Nerbia being a fictional location in Miguel de Cervantes’s Don Quixote, a reference to it being included in the malware’s code – which has been tracked by Proofpoint researchers.
So far used in a low volume email borne campaign targeting users in Italy, Spain and the UK, Nerbian RAT’s lures claim to represent the World Health Organisation (WHO) and purport to be important information on Covid-19. The lure also contains the logos of Ireland’s Health Service Executive (HSE), the Irish government, and the National Council for the Blind of Ireland (NCBI).
The information – which appears to be standard advice on self-isolation best practice – is contained in an attached Word document containing macros which, when enabled by the victim, allows the document to drop a .bat file that in turn retrieves Nerbian RAT’s dropper.
Nerbian RAT itself is a somewhat complex remote access Trojan – hence RAT – that supports a variety of malicious functions such as keylogging, screen capture, and communications via SSL with its C2 infrastructure. It also contains a number of checks to prevent victims from debugging or reverse engineering it.
It is, however, perhaps rather more noteworthy for being written in the Go programming language, and uses multiple open source Go libraries for conducting its malicious activities. As Sherrod DeGrippo, vice-president of threat research and detection at Proofpoint, noted: “Malware authors continue to operate at the intersection of open source capability and criminal opportunity.”
Go, or Golang, is increasingly favoured by threat actors, likely because it is easier to use than other languages and the barrier to entry is lower.
It has also matured to the point where it is becoming a “go-to” language for malware developers, both at the advanced persistent threat (APT) and commodity level. Go-based malwares now appear on a regular basis, targeting most major operating systems. In the past 12 months, Go has increasingly also been used to compile initial stagers for Cobalt Strike.
One recently identified Go-coded malware is Denonia, a relatively innocuous-seeming cryptominer that is noteworthy for appearing to have been specifically designed to target Amazon Web Services (AWS) Lambda environments, and as such may be a world’s first – although note that AWS rejects its characterisation as a malware.
Research from 2021 by BlackBerry analysts picked over four uncommon languages that their detection tools had observed being used maliciously – Go, D, Nim and Rust – and found a general consensus that malicious actors also favour these languages because they are still relatively uncommon, therefore believing this may help their attacks evade detection and hinder analysis.
Other plus points include the ability to cross-compile new malwares that can target Windows and MacOS environments at the same time.
More information on Nerbian RAT, including indicators of compromise (IoCs) and Yara rules for defenders, is available from Proofpoint.