Researchers have recently discovered a brand new remote-access Trojan (RAT) that is feature-rich and distributed in the old-fashioned Office macro format.
Proofpoint cybersecurity researchers recently discovered a malware called Nerbian RAT, a cross-platform 64-bit product written in Golang.
It is “rich” in functionality, including many features built to avoid detection and analysis.
Impersonate WHO
The attackers have launched a small email campaign impersonating the World Health Organization (WHO). This email shares fake Covid-19 information in a Word file that contains macros. When enabled, the macro will download a 64-bit dropper.
The dropper is called “UpdateUAV.exe” and is still equipped with detection and analysis prevention functions at this stage. Apparently, these are all “borrowed” from various GitHub projects. The dropper also establishes persistence through a scheduled task that launches RAT every hour.
The Trojan itself is named “MoUsoCore.exe” and will be dropped in the C: \ ProgramData \ USOShared folder. Some of the usual features are keyloggers that store everything logged in in encrypted form, and screenshot tools for all operating systems.
According to the publication, the campaign is still “small” and dangerous, but still not a big threat. However, it can change at any time.
Threat actors still distribute Macrorace Office files, knowing that Microsoft has decided to phase out this feature almost completely for reasons other than constant weaponization by criminals. It’s interesting to see them.
Earlier this February, Microsoft announced that users would not be able to activate VBA macros with “untrusted” documents from the five most popular Office apps. All files shared from outside the company’s network are considered “untrusted”. That is, all files from the same domain should still be able to hold macros.
For years, cybercriminal groups have preyed on deceived or exhausted workers and shared malicious Office documents using macros. Receipts, payment failure warnings, jobs, Covid-19, and vaccine information are just a few of the document types that scammers share to run macros and infect. end point..
via: Bleeping Computer