This sneaky new Go malware is causing havoc everywhere it goes

A brand new remote access trojan (RAT), rich in features, and distributed the old-fashioned Office macro way, has recently been spotted in the wild, researchers are saying.

Cybersecurity researchers from Proofpoint recently discovered malware dubbed Nerbian RAT, a cross-platform 64-bit product written in Golang. 

It is “rich” in features, including many built to evade being detected and analyzed.

Impersonating WHO

The threat actor has initiated a small-scale email campaign, in which it impersonates the World Health Organization (WHO). The email shares fake Covid-19 information in a Word file carrying a macro. If activated, the macro will download a 64-bit dropper.

The dropper is called “UpdateUAV.exe”, and even this stage carries anti-detection and anti-analysis features. Apparently, these have all been “borrowed” from various GitHub projects. The dropper also establishes persistence through a scheduled task that launches the RAT every hour.

The trojan itself is named “MoUsoCore.exe”, and is dropped to the C:\ProgramData\USOShared folder. Among the usual functions are a keylogger storing everything it logs in encrypted form, and a screenshotting tool for all operating systems. 

The publication says the campaign is still “small-scale”, and though dangerous, is still not a major threat. That could change any moment, however.

It’s interesting to see threat actors still distributing macro-laced Office files, knowing that Microsoft decided to phase the feature out almost entirely, for no other reason than its constant weaponization by criminals. 

In early February this year, Microsoft said users will no longer be able to activate VBA macros in “untrusted” documents from five of its most popular Office apps. All files shared from outside the company network will be deemed “untrusted”, meaning all files coming from the same domain should still be able to keep their macros.

For years, cybercrime groups have been sharing macro-powered malicious Office documents, preying on gullible or exhausted workers. Payment receipts, warnings of failed payments, job offers, Covid-19 and vaccine information, are just some of the document types crooks would share to have people run macros and infect their endpoints.

Via: BleepingComputer


Be the first to comment

Leave a Reply

Your email address will not be published.


16 + 4 =