The RAT is out: The new Nerbian Rat on the Market
Nerbian is the name of a recently discovered remote access trojan (RAT). A RAT is a type of malware that allows hackers to monitor and control your infected computer or network remotely, like legitimate remote access programs. The main difference is that RATs are installed without a user’s knowledge, using evasion detection mechanisms to ensure no specific symptoms are clearly visible on an infected machine. It is also important to note that Nerbian, just like any other RAT, has the capability to inject additional malware. What they mainly spread is ransomware.
Origin Story
Researchers at cybersecurity firm Proofpoint published a recent report on the new Nerbian RAT malware. Proofpoint researchers, the ones to first observe the email campaigns, named the malware based on a named function in the malware code.
Proofpoint identified an email distribution campaign that encouraged targeted users to click on a file attachment loaded with malware. The campaign contained COVID-19 information impersonating the World Health Organization (WHO). The campaign asks targeted users to open the attached Microsoft Word document (.doc) to see the ‘latest Health Advice.’ While users are distracted reading the document containing COVID-19 safety precautions, the macros embedded in the document deliver a specific payload behind the scenes. Threat actors continue to utilize COVID-19 themes to distract targeted users with their threatening campaigns. Although currently distributed through low-volume campaigns, authors can open up this campaign to a broader cybercrime community moving forward.
Capabilities
Nerbian is seen to include a rich set of features once the identified payload, ‘UpdateUAV.exe’, is initially downloaded. The RAT is seen to log keystrokes and capture screenshots recording the infected computer’s movement and activity. The screen captures could occur on a variety of different operating systems and could contain usernames, passwords, bank information, or sensitive photos.
How do we avoid Nerbian?
- Do not download files from sources that are unknown or are not trusted. This includes opening attachments in emails from external addresses or unknown addresses.
- Do not download games or software from unknown websites.
- Keep browsers and operating systems up to date with security patches.
- Install a specialized anti-malware program.
If you think you have been victim to a Nerbian Rat or any other business email compromise, please contact us at ir@breachquest.com.
Written by Abbey Mirelli from our Incident Response Team and our BEC specialist.