Threat Watch

New Stealthy Nerbian RAT Malware Spotted in Ongoing Attacks

A new Remote Access Trojan (RAT) was discovered being delivered via phishing campaigns that impersonate the World Health Organization (WHO) sending the target COVID-19 related information. This RAT, dubbed Nerbian RAT, is written in Go and includes a large number of anti-analysis mechanisms to help prevent it from being run in a sandboxed or virtualized environment.

The phishing emails seen from this campaign have included a Microsoft Word document, either directly attached or within an attached RAR file. These Word documents contain malicious macros that, when executed, drop a batch file onto the device and runs it. This batch file contains a PowerShell command that downloads an executable file and executes it. This executable file is packed with the UPX utility and functions as the dropper for the main Nerbian RAT payload. This dropper is what contains the large set of anti-analysis checks, including things like checking for certain reverse engineering or debugging programs running, suspicious MAC addresses, small hard disk sizes, and so on.

The dropper then downloads the main Nerbian RAT payload and creates a scheduled task to establish persistence, executing the main payload hourly. Nerbian RAT contains functionality similar to other RATs, including command execution, keylogging, and screen capturing.


It is highly recommended to maintain proper email security controls, such as Anti-Virus (AV) scanning and sandboxing, to help prevent phishing emails from reaching end users. Creating proper phishing awareness training can also help end users identify and remove phishing emails before they are acted upon. This particular campaign also shows that COVID-19 based phishing lures are still being used by threat actors in an attempt to trick users into executing malicious payloads, so vigilance will still be required when handling anything pandemic-related. Proper endpoint security controls, such as an EDR, are also recommended to help prevent malware from fully infecting a system. A number of the infection steps in this campaign exhibit abnormal Windows behavior, allowing for good detection opportunities. Steps like a Word document creating a batch file, a batch file executing PowerShell, and PowerShell making a callout to the Internet to download an executable file are all abnormal behaviors that can be detected and alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.