This sneaky new Go malware is causing havoc everywhere it goes

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

A brand new remote access trojan (RAT), rich in features, and distributed the old-fashioned Office macro way, has recently been spotted in the wild, researchers are saying.

Cybersecurity researchers from Proofpoint recently discovered malware dubbed Nerbian RAT, a cross-platform 64-bit product written in Golang. 

It is “rich” in features, including many built to evade being detected and analyzed.


Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Impersonating WHO

The threat actor has initiated a small-scale email campaign, in which it impersonates the World Health Organization (WHO). The email shares fake Covid-19 information in a Word file carrying a macro. If activated, the macro will download a 64-bit dropper.

The dropper is called “UpdateUAV.exe”, and even this stage carries anti-detection and anti-analysis features. Apparently, these have all been “borrowed” from various GitHub projects. The dropper also establishes persistence through a scheduled task that launches the RAT every hour.

The trojan itself is named “MoUsoCore.exe”, and is dropped to the C:\ProgramData\USOShared folder. Among the usual functions are a keylogger storing everything it logs in encrypted form, and a screenshotting tool for all operating systems

The publication says the campaign is still “small-scale”, and though dangerous, is still not a major threat. That could change any moment, however.

It’s interesting to see threat actors still distributing macro-laced Office files, knowing that Microsoft decided to phase the feature out almost entirely, for no other reason than its constant weaponization by criminals. 

In early February this year, Microsoft said users will no longer be able to activate VBA macros in “untrusted” documents from five of its most popular Office apps. All files shared from outside the company network will be deemed “untrusted”, meaning all files coming from the same domain should still be able to keep their macros.

For years, cybercrime groups have been sharing macro-powered malicious Office documents, preying on gullible or exhausted workers. Payment receipts, warnings of failed payments, job offers, Covid-19 and vaccine information, are just some of the document types crooks would share to have people run macros and infect their endpoints.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.