FortiGuard Labs is aware that a new Remote Access Trojan (RAT) called Nerbian RAT was delivered to the targets via COVID-19 and World Health Organization (WHO) themed emails. Nerbian RAT is written in the Go programming language and performs keylogging and screen capture on the compromised machine.Why is this Significant?This is significant because Nerbrian RAT was delivered through emails that leverages COVID-19 and World Health Organization (WHO) themed lures that are still effective today to COVID themed to compel unsuspecting victims to open malicious attachments. The RAT is also capable of stealing sensitive information from the compromised machine through keylogging and screen capture.What is Nerbian RAT?Nerbian RAT is a Remote Access Trojan and is written in the Go programming language. The malware was delivered to the target through COVID-19 and WHO themed emails such as the following:The attached document file contains malicious macros, which downloads a dropper file after macros are enabled. The dropper performs anti-reversing and anti-VM checks before launching Nerbian RAT. The malware has an encrypted configuration file containing information such which Command and Control (C2) servers to connect to and connection intervals, how many times the RAT tries to transfer files and C2 backup domains.The malware performs typical RAT activities such as keylogging and screen capture.How Widespread is the Malware?The malware was reportedly to have been observed in Italy, Spain, and the United Kingdom. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of Nerbian RAT and associated files:VBA/Agent.XSQ!tr.dldrBAT/NerbianRAT.D!trMalicious_Behavior.SBRiskware/ApplicationW32/PossibleThreatPossibleThreat.PALLAS.HAll network IOC’s are blocked by the WebFiltering client.
Kyle Zeng discovered that the Network Queuing and Scheduling subsystem of
the Linux kernel did not properly perform reference counting in some
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2022-29581)
Bing-Jhong Billy Jheng discovered that the io_uring subsystem in the Linux
kernel contained in integer overflow. A local attacker could use this to
cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-1116)
Jann Horn discovered that the Linux kernel did not properly enforce seccomp
restrictions in some situations. A local attacker could use this to bypass
intended seccomp sandbox restrictions. (CVE-2022-30594)
Kyle Zeng discovered that the Network Queuing and Scheduling subsystem of
the Linux kernel did not properly perform reference counting in some
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2022-29581)
Jann Horn discovered that the Linux kernel did not properly enforce seccomp
restrictions in some situations. A local attacker could use this to bypass
intended seccomp sandbox restrictions. (CVE-2022-30594)
The AGG Software Web Server version 4.0.40.1014 and prior is vulnerable to cross-site scripting, which may allow an attacker to remotely execute arbitrary code.
A vulnerability in the Spectrum Scale 5.1 core component and IBM Elastic Storage System 6.1 could allow unauthorized access to user data or injection of arbitrary data in the communication protocol. IBM X-Force ID: 191600.
A large number of security issues were discovered in the WebKitGTK Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
A vulnerability was found in Telecommunication Software SAMwin Contact Center Suite 5.1. It has been rated as critical. Affected by this issue is the function getCurrentDBVersion in the library SAMwinLIBVB.dll of the credential handler. Authentication is possible with hard-coded credentials. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.
A vulnerability classified as critical has been found in Telecommunication Software SAMwin Contact Center Suite 5.1. This affects the function getCurrentDBVersion in the library SAMwinLIBVB.dll of the database handler. The manipulation leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.
A vulnerability classified as critical was found in Telecommunication Software SAMwin Contact Center Suite 5.1. This vulnerability affects the function passwordScramble in the library SAMwinLIBVB.dll of the component Password Handler. Incorrect implementation of a hashing function leads to predictable authentication possibilities. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.
