Novel ‘Nerbian RAT’ uses OS-agnostic Go programming language to spread across platforms 

Researchers on Wednesday said they discovered a new malware written in the operating system- agnostic Go programming language that leverages COVID-19 and World Health Organization themes to spread.

In a blog post, Proofpoint researchers said the malware — called a "Nerbian" remote access trojan (RAT) — was named based on a function in the malware code. The Proofpoint researchers said the malware has primarily targeted organizations in Italy, Spain, and the United Kingdom.

Nerbia is a fictional place from the famous novel "Don Quixote." The researchers pointed out that the knight from Nerbia had a shield with a crest of asparagus and a banner reading "Try your luck."

Proofpoint’s assessment of the Nerbian RAT indicates that it’s a complex malware, was designed and coded in OS-agnostic Go to affect as many systems as possible, and aims to evade detection from security tools, said Alex Ondrick, director of security operations at BreachQuest. 

Interestingly, Ondrick said Proofpoint notes that the dropper and the RAT itself do not employ heavy obfuscation outside of the sample being packed with the [Ultimate Packer for Executables] (UPX), which they argue may be intended to “reduce the size of the executable.”

“If my understanding is correct, the malware authors invested significant technical effort into creating the malware, yet they did not employ obfuscation beyond packing the sample with high-complexity malware, but low-complexity obfuscation,” Ondrick said. “Organizations must keep systems and software updated, and should conduct regular phishing awareness training. Microsoft Office administrators are strongly encouraged to prevent/disable macros across all Microsoft Office products across the entire environment.”

Saumitra Das, co-founder and CTO at Blue Hexagon, said there are two things interesting about the attack. First, Das said by using the Go language to get platform independence, the malware authors do not have to write individual malware for each platform.

“Second, the use of current topics of interest is a common tactic,” Das said. “Here, with the potential rise of COVID in a new wave, they are trying to exploit user interest in the topic to make them click.”

Aaron Turner, vice president, SaaS Posture at Vectra, said while he considers the use of Go as the development language a novel approach, the attack path does not rate as novel. Turner said if an organization blocks macros from untrusted parties via email and restricts PowerShell functionality on the endpoint, this sort of attack would not succeed.

“As more organizations move to Microsoft 365, strong PowerShell security policies and controls will become more and more important as so many traditional controls and security monitoring tools can be bypassed using PowerShell,” Turner said. “Microsoft's guidance here is very clear: block all untrusted PowerShell functions and enforce the most-restrictive policies possible.”