Two years after the first wave of the Covid-19 pandemic, the new coronavirus remains a lure too tempting to withstand cybercriminals who continue to use it in their phishing campaigns.
A newly discovered malware using Covid-19 lures is called Nerbian RAT – Nerbia is a fictional place in Miguel de Cervantes Don Quixotereference to being included in the malware code – which was tracked by Proofpoint researchers.
So far used in a low-volume email campaign aimed at consumers in Italy, Spain and the United Kingdom, Nerbian RAT lures claim to be the World Health Organization (WHO) and are considered important information for Covid-19. The lure also contains the logos of the Irish Health Service (HSE), the Irish Government and the National Blind Council of Ireland (NCBI).
The information – which seems to be standard advice on best practice for self-isolation – is contained in an attached Word document containing macros that, when allowed by the victim, allow the document to run a .bat file, which in turn retrieves a dropper. Nerbian RAT.
Nerbian RAT itself is a bit complicated Trojan horse for remote access – therefore RAT – which supports various malicious functions such as keyboard recording, screen capture and SSL communications with its C2 infrastructure. It also contains a number of checks to prevent victims from correcting mistakes or doing reverse engineering.
Perhaps, however, it is much more noticeable as it is written the Go programming language, and uses multiple open source Go libraries to carry out its malicious activities. As Sherrod DeGripo, vice president of threat research and detection at Proofpoint, said: “Malware authors continue to work at the intersection of open source and criminal.”
Go, or Golang, is increasingly preferred by those involved in the threat, probably because it is easier to use than other languages and the barrier to entry is lower.
It has also matured to the point where it becomes a language used by malware developers, both at the advanced persistent threat level (APT) and at the commodity level. Go-based malware is now appearing regularly targeting most major operating systems. In the last 12 months, Go has also been increasingly used to compile early stages for Cobalt Strike.
One recently identified Go-encrypted malware is Denonia, a relatively harmless-looking crypto miner that deserves to be specifically designed to target the lambda environments of Amazon Web Services (AWS) and as such may be the world’s first – despite that keep in mind that AWS rejects its characterization as malware.
A 2021 study by BlackBerry analysts selected four unusual languages that their detection tools noticed were being used maliciously – Go, D, Nim and Rust – and found a general consensus that malicious participants also prefer these languages because they are still relatively uncommon, which is why they believe this could help their attacks avoid detection and hinder analysis.
Other pluses include the ability to cross-compile new malware that can target Windows and MacOS environments at the same time.
More information on Nerbian RAT, including compromise indicators (IoCs) and Yara’s rules for defenders, is available from Proofpoint.