Nerbian RAT targetting entities in Europe leverages COVID-19 messaging

Malware uses sophisticated evasion methods to target entities in the UK, Spain, and Italy

Phishing methods posing as WHONerbian RAT spreads after the macro-laced document gets opened

Nerbian RAT is the malware that uses significant anti-analysis methods and avid reverse engineering capabilities. This open-source Go programming-based threat has been spotted disproportionately targeting various companies In Italy, Spain, UK by also leveraging the Corona virus-themed lures.[1] This was the method to propagate the malware via a low-volume email-borne phishing campaign that started on April 26.[2]

The threat disproportionately impacts entities in Italy, Spain, and the United Kingdom. The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19.

The remote access trojan- RAT, was discovered and constantly analyzed.[3] The new version of the Nerbian RAT has various components that allow the virus to spread across several stages, including multiple open-source libraries.

The threat is compiled for 64-bit systems and leverages encryption methods to evade the network analysis techniques further. The malware was named by ProofPoint researchers and is based on the function found in the malware code during the initial investigations.

Nerbia is a fictional place from the great novel Don Quixote. The knight from Nerbia had a shield with a crest of asparagus and a banner reading “Try your luck”.

Malicious macro-laced messages supposedly from WHO

These phishing messages were posing as alerts sent from the World Health Organization and stating about the safety measures regarding the COVID-19 virus pandemic. Alerts during particular victims to open the email attachment tried to trick people into downloading the macro-laced[4] Microsoft Word document that supposedly lists the latest health rules.

These files once opened, encourage people to enable the macros, so this document can be loaded. It reveals the information related to the COVID-19 safety, particularly regarding self-isolation and caring for sick individuals. The document also contains logos of the Health Service Executive, Government of Ireland, and National Council for the Blind of Ireland.

The lure was used more often at the start of the pandemic in 2020.[5] The method of spoofing the WHO to distribute information about the virus while delivering malware is not new. Once the macros get enabled, the infection chain can start, and payload files can be delivered to the machine, so the Nerbian RAT gets downloaded from a remote server.

Methods keeping the reverse engineering difficult to attempt

The dropper that is launched once the document is opened and the macro virus triggered also initiates the anti-AV framework that allows the malware to block analysis attempts, and reverse engineering. This method would be helpful for researchers because this is the way to understand and create anti-malware solutions when threats can be analyzed fully and inspected. Terminating these AV checks helps to avoid any debuggers or memory analysis programs.

The trojan itself has multiple capabilities for collecting information, logging keystrokes, capturing screenshots, executing arbitrary code, and exfiltrating data to the remote connection server that criminals control. These malware operators continue to carry out their techniques with open-source capabilities and criminal opportunities.

The dropper and the Neberian RAT itself seem to be developed by the same threat actor, but even the ProofPoint analysis cannot link any groups to these campaigns or ensure that the dropper cannot be customized for the later attacks with the same or a different RAT malware. But the particular features show that the dropper is configured to download and establish the resistance of this malware payload.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions