Researchers have noticed a RAT (remote access trojan) dubbed NerbianRAT being distributed via emails. Its name comes from a malware code function’s name.

NerbianRAT: How It Is Distributed

Researchers from Proofpoint have recently published a report providing details about NerbianRAT.

The malicious emails spreading this malware impersonate the World Health Organization (WHO) assuming to send targets COVID-19 information. The emails include RAR attachments that encompass malicious macro code within the Word document found in the RAR archives. What happens when the victim opens Word and enables the content is that a 64-bit droppe will be downloaded by means of a Powershell.

This is what the Word document from the phishing email would look like, as shown in the report:

Proofpoint screenshot phishing email

Proofpoint screenshot phishing email

Source of the Images

Technical Features of NerbianRAT

The malware is written in GO programming language packed with capabilities to bypass detection and analysis.

The newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries. It is written in operating system (OS) agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis. Go is an increasingly popular language used by threat actors, likely due to its lower barrier to entry and ease of use.


The payload that is initially downloaded from the word file is UpdateUAV[.]exe. It represents a 64-bit executable, has a size of 3.5MB, and comes with UPX for size managing purposes.

What UpdateUAV does is reuse code that comes from various GitHub projects to make sure that multiple anti-analysis and detection-evasion methods are put in place before the deployment of the NerbianRAT starts. Besides, the dropper has also the role to create persistence through its launching of the remote access trojan every hour.

Because of the checks the malware performs previous to its execution, it makes sure it cannot run in a sandboxed, VM environment.

What’s also worth mentioning is that NerbianRAT includes a keylogger component that stores keystrokes in a form that is encrypted. Besides, it also comes with a screen capturing tool that can take screenshots that works with all major operating systems.

SSL is making all the communications with the C2 server possible. This means that tools that scan the network cannot perform in-transit analysis of data exchanges, because these are protected and encrypted this way.

How Can Heimdal™ Help?

Protect yourself from phishing emails with Heimdal Email Security, a solution specially designed to block mail-delivered threats and prevent supply-chain attacks by combining Office 365 support with proprietary e-mail threat prevention.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Phishing attacks explained: How it works, Types, Prevention and Statistics

51% of Organizations Have Suffered Data Breaches Caused by Third-Party Remote Access

What is a Remote Access Trojan (RAT)?

Leave a Reply

Your email address will not be published. Required fields are marked *