Below is a Yara signature for a new remote access trojan being distributed via email using Covid-19 as a hook. It uses sophisticated evasion techniques. Copy and paste the signature to a new Notepad file from the word rule to the ending } and save it as a file named NerbianRat.yar in the ClamWin database folder. Save it in All Files form. The file name should be NerbianRat.yar and nothing else.

Yara signatures can be kept permanently if they are not for a specific malware. This one is for a specific malware, so keep it for about three months.

Thanks to proofpoint!


rule Nerbian_RAT

{

meta:

author = "ptrouerbach"

reference = "5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597"

malfamily = "NerbianRAT"



strings:

$args_p = "p-" ascii

$args_s = "s-" ascii

$args_h = "h-" ascii

$args_P = "P-" ascii



$hardcoded_aes_key = { 17E87F581F1DF8D6129D65FD50CEB3DD6C4E1C223077CD7D4C595DA6C3DF92B2 }



$param_auth = "auth_post" ascii

$param_session = "session_key" ascii

$param_data = "data_post" ascii

$param_addr = "addr_post" ascii

$param_port = "port_post" ascii



condition:

uint16be(0) == 0x4D5A

and ($hardcoded_aes_key or (all of ($param*) and all of ($args*)))

and filesize < 10MB

}

Regards,