A brand new remote access trojan (RAT), rich in features, and distributed the old-fashioned Office macro way, has recently been spotted in the wild, researchers are saying.
Cybersecurity researchers from Proofpoint recently discovered malware dubbed Nerbian RAT, a cross-platform 64-bit product written in Golang.
It is “rich” in features, including many built to evade being detected and analyzed.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
The threat actor has initiated a small-scale email campaign, in which it impersonates the World Health Organization (WHO). The email shares fake Covid-19 information in a Word file carrying a macro. If activated, the macro will download a 64-bit dropper.
The dropper is called “UpdateUAV.exe”, and even this stage carries anti-detection and anti-analysis features. Apparently, these have all been “borrowed” from various GitHub projects. The dropper also establishes persistence through a scheduled task that launches the RAT every hour.
The trojan itself is named “MoUsoCore.exe”, and is dropped to the C:\ProgramData\USOShared folder. Among the usual functions are a keylogger storing everything it logs in encrypted form, and a screenshotting tool for all operating systems.
> Microsoft Excel is making a big change to protect against malware (opens in new tab)
> Microsoft Office is finally making this vital security change across Excel, Word and more (opens in new tab)
> Microsoft to disable old-school macros to shield users from attacks (opens in new tab)
The publication says the campaign is still “small-scale”, and though dangerous, is still not a major threat. That could change any moment, however.
It’s interesting to see threat actors still distributing macro-laced Office files, knowing that Microsoft decided to phase the feature out almost entirely, for no other reason than its constant weaponization by criminals.
In early February this year, Microsoft said users will no longer be able to activate VBA macros in “untrusted” documents from five of its most popular Office apps. All files shared from outside the company network will be deemed “untrusted”, meaning all files coming from the same domain should still be able to keep their macros.
For years, cybercrime groups have been sharing macro-powered malicious Office documents, preying on gullible or exhausted workers. Payment receipts, warnings of failed payments, job offers, Covid-19 and vaccine information, are just some of the document types crooks would share to have people run macros and infect their endpoints (opens in new tab).
- Protect your devices from cybercrooks with the best firewalls around (opens in new tab)
Via: BleepingComputer (opens in new tab)