Novel ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks

A newly discovered and complex remote access trojan (RAT) is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers, Proofpoint has found. Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic Go programming language and “utilizes significant anti-analysis and anti-reversing capabilities”, according to a Proofpoint blog post published Wednesday. Proofpoint researchers first observed the RAT being distributed in a low-volume email campaign beginning on April 26 in messages sent to multiple industries, mainly impacting organizations in Italy, Spain and the United Kingdom, they said. “The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19,” researchers wrote, noting that the messages are a throwback to similar phishing campaigns that circulated in 2020 in the early days of the pandemic. Sample emails shared in the post are sent from email addresses attempting to appear as if they coming from the WHO, such as who.inter.svc@gmail[.]com and announce@who-international[.]com, and use as their subject line WHO or World Health Organization. The messages include safety measures related to COVID-19 as well as attachments that also include “covid19” in their names but are actually Word documents containing malicious macros. When macros are enabled, the document reveals information relating to COVID-19 safety,…