Negasteal Malware Information

Product / Version includes:

Deep Discovery Email Inspector3.1 , OfficeScanXG , Apex One2019 , InterScan Messaging Security Suite9.1 , Worry-Free Business Security Advanced10.0 , ScanMail for Exchange14.0 , Deep Discovery Inspector5.5 , Deep Security12.0 , Interscan Web Security Virtual Appliance6.5

Last updated: 2021/08/28

Solution ID: KA-0009568

Category: Remove a Malware / Virus

Summary

The Negasteal malware first appeared in 2017 with the same command and control panel and communication protocol features of Agent Tesla which first appeared in 2015.

The current malspam campaign utilizes social engineering in which the email contains product inquiry or purchase order inquiry sent to marketing officers of different companies. A version of Negasteal malware which is compiled by AutoIT was delivered via email to steal credentials and log keystrokes from various Windows applications. The AutoIt is a scripting language intended to automate basic tasks in Windows graphical user interface (GUI), to obfuscate malware binary and evade security detection.

Another version of Negasteal used removable drives as new delivery vector to steal credentials from applications FTPGetter and Becky! Internet Mail. This Trojan-Spyware sends the data it gathers from its victims to the email address of the malware author via Simple Mail Transfer Protocol (SMTP).

This Trojan-Spyware gathers the following data and sends it to its servers:

Computer information (OS version, computer name, OS version platform, IP address, user name, physical memory size)
Hardware information (processor name, video card name, video card memory)
Browser's user names and passwords
File Transfer Protocol (FTP) clients or file manager software stored account information
Email credentials of popular mail clients

Capabilities

Information Theft

Impact

Violation of user privacy - gathers user credentials, logs keystroke and steals user information

Additional Reference

Threat Encyclopedia: TrojanSpy.Win32.NEGASTEAL.DOCHF

Infection Chain

MITRE ATT&CK MATRIX

BEHAVIOR	TACTIC	TECHNIQUE
Arrives as purchase order attachment spam mails	Initial Access	T1193: Spear Phishing Attachment
User is bait to click archive attachment and malicious file is run	Execution	T1204: User Execution
Obfuscates malware binary	Defense Evasion	T1027: Obfuscated Files or Information
Steals personal and financial information by using keylogger techniques	Collection	T1056: Input Capture
Stolen information is sent via SMTP	Exfiltration	T1071: Standard Application Layer Protocol

Sample Spam - Purchase order attachment

Detection Coverage

File Reputation

Detection/Policy/Rules	Pattern Branch/Version	Release Date
TrojanSpy.Win32.NEGASTEAL.DOCDU	15.243.00	July 18, 2019
TrojanSpy.MSIL.NEGASTEAL.BF	15.243.00	July 18, 2019
TrojanSpy.MSIL.NEGASTEAL.SMK	15.624.00	January 16, 2020
TrojanSpy.MSIL.NEGASTEAL.KCW
Trojan.AutoIt.NEGASTEAL.A
TrojanSpy.W97M.NEGASTEAL.AB
TrojanSpy.Win32.NEGASTEAL.DOCIM
TrojanSpy.Win32.NEGASTEAL.B

Predictive Machine Learning

Detection	Pattern Branch/Version
Troj.Win32.TRX.XXPE50FFF033	In-the-cloud
Troj.Win32.TRX.XXPE50FFF034	In-the-cloud

Web Reputation

Detection	Pattern Branch/Version
URL Protection	In-the-cloud

Email Protection

Pattern Branch/Version	Release Date
AS Pattern 5170	January 15, 2020

Advance Threat Scan Engine (ATSE)

Pattern Branch/Version	Release Date
15.623.00	January 15, 2020

Network Pattern

Detection/Policy/Rules	Pattern Branch/Version	Release Date
NEGASTEAL – HTTP (Request)	NCCP 1.13857.00	October 23, 2019
NEGASTEAL – SMTP (Request)	NCCP 1.13931.00	October 23, 2019

Solution Map - What should customers do?

Trend Micro Solution	Major Product	Latest Version	Virus Pattern	Anti-Spam Pattern	Network Pattern	Predictive Machine Learning	Web Reputation
Endpoint Security	ApexOne	2019	Update pattern via web console	Not Applicable	Update pattern via web console	Enable Predictive Machine Learning	Enable Web Reputation Service and update pattern via web console
	OfficeScan	XG (12.0)			Not Applicable
	Worry-Free Business Security	Standard (10.0)
	Worry-Free Business Security	Advanced (10.0)		Update pattern via web console
Hybrid Cloud Security	Deep Security	12.0	Update pattern via web console	Not Applicable	Update pattern via web console	Enable Predictive Machine Learning	Enable Web Reputation Service and update pattern via web console
Email and Gateway Security	Deep Discovery Email Inspector	3.5	Update pattern via web console	Update pattern via web console	Update pattern via web console	Not Applicable	Enable Web Reputation Service and update pattern via web console
	InterScan Messaging Security	9.1			Not Applicable
	InterScan Web Security	6.5
	ScanMail for Microsoft Exchange	14.0
Network Security	Deep Discovery Inspector	5.5	Update pattern via web console	Not Applicable	Update pattern via web console	Not Applicable	Enable Web Reputation Service and update pattern via web console

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of Negasteal malware.
Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, please contact Trend Micro Technical Support.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Negasteal Malware Information

Negasteal Malware Information

Product / Version includes:

Summary