This insidious new Go malware is wreaking havoc everywhere it goes.


Researchers say a new remote access Trojan (RAT), which is deployed in a feature-rich, outdated Office macro fashion, has recently been found in the wild.

Cybersecurity researchers at Proofpoint recently discovered malware called Nerbian RAT, a cross-platform 64-bit product written in Golang.

It is “rich” in features, including many features built to avoid detection and analysis.

WHO impersonation

The threat actor has launched a small email campaign impersonating the World Health Organization (WHO). Emails share fake Covid-19 information in Word files with macros. If enabled, the macro will download a 64-bit dropper.

The dropper is called “UpdateUAV.exe” and even at this stage it has anti-detection and anti-analysis features. Obviously, these are all “borrowed” from various GitHub projects. The dropper also establishes persistence via a scheduled task that starts the RAT every hour.

The Trojan itself is named “MoUsoCore.exe” and is dropped into the C:ProgramDataUSOSShared folder. Among its common features are a keylogger that stores everything it records in an encrypted format and a screenshot tool for all operating systems.

The publication says the campaign is still “small” and risky, but still doesn’t pose a major threat. But it can change at any time.

It’s interesting to see threat actors still distributing macro-bound Office files, knowing that Microsoft has decided to almost completely phase out this feature for no other reason than the relentless weaponization by criminals.

In early February of this year, Microsoft revealed that users could no longer enable VBA macros in “untrusted” documents in the five most popular office apps. Any files shared outside the corporate network are considered “untrusted”. This means that all files coming from the same domain should still be able to maintain macros.

For years, cybercriminal groups have shared malicious, macro-based Office documents that prey on gullible or weary employees. Payment receipts, warnings about payment failures, job openings, Covid-19 and vaccine information are just a few of the types of documents scammers share to run macros and infect themselves. endpoint.

Through: blipping computer

Leave a Comment