A new feature-packed Remote Access Trojan (RAT) distributed in the old-fashioned way of Office macros has recently been discovered in the wild, researchers say.
Cybersecurity researchers at Proofpoint recently discovered malware called Nerbian RAT, a 64-bit cross-platform product written in Golang.
It is "rich" with features, many of which are designed to evade detection and analysis.
Posing as the WHO
The threat actor launched a small-scale email campaign posing as the World Health Organization (WHO). The email shares false information about Covid-19 in a Word file containing a macro. If enabled, the macro will download a 64-bit dropper.
The dropper is called "UpdateUAV.exe", and even this step has anti-detection and anti-scan functions. Apparently all of these were "borrowed" from various GitHub projects. The dropper also sets persistence via a scheduled task that launches the RAT every hour.
The Trojan itself is called "MoUsoCore.exe" and is placed in the C:ProgramDataUSOShared folder. Common features include a keylogger that stores everything it records in encrypted form, and a screenshot tool for all operating systems.
The post says the campaign is still "small in scale" and, while dangerous, not yet a major threat. However, this could change at any time.
Interestingly, threat actors continue to distribute Office files containing macros, knowing that Microsoft has decided to remove the feature almost completely, for no reason other than its constant use of weapons by criminals.
In early February this year, Microsoft said that users will no longer be able to enable VBA macros in "untrusted" documents from five of its most popular Office applications. All files shared from outside the corporate network will be considered "untrusted", which means that all files on the same domain should be able to keep their macros.
For years, cybercrime groups have shared malicious macro-based Office documents, preying on gullible or exhausted workers. Payment receipts, payment failure warnings, job offers, Covid-19 and vaccination information are just some of the types of documents that scammers would share for people to run macros and infect their terminals.
Via: BleepingComputer