Nerbian Rat Using Covid 19 Templates
Figure 1: Email template used by Nerbian RAT to be disseminated in the wild (source). After the Microsoft Word file is downloaded, the embedded auto macro is executed. It creates a Windows .bat file (the first stage) that will download the Nerbian “dropper” from the Internet. Figure 2: Bat file — 1st stage of Nerbian RAT. As shown above, the payload downloads a binary file and renames it “UpdatedUAV.exe.” It is a Goland binary that smoothly bypasses file signature detection....