Negasteal, also known as AGENT TESLA is an information stealer malware written in Microsoft’s .NET language with keylogging and remote access Trojan (RAT) capabilities. It was discovered in 2014 and has been used in various malicious campaigns ever since. It has been known to send stolen information either through web panel, file transfer protocol (FTP) or simple mail transfer protocol (SMTP). A previous version of the malware was compiled in AutoIT to obfuscate malware binary and evade security detection, and another version is capable of spreading the malware through the use of removable drives.
In recent malspam campaigns that utilizing social engineering such as COVID-19 themed spam, or email that contains purchase orders or invoices, a new variant of the NEGASTEAL malware was found as an attachment. The executable file usually arrived in an archived or compressed file like ZIP or RAR. This variant, aside from able to steal machine information, data in browsers, email client or FTP credentials and user credentials, it has now a new module for getting the WiFi profile or credential. The stolen information will be sent via email or FTP. With this new feature, the cybercriminals have the ability to spread or create an entry vector through the victim’s network.
Behaviour
- Creates a scheduled task to execute the NEGASTEAL payload
- Disables Task Manager through the registry using reg.exe
- Collects information about the system including FTP clients, browsers, file downloads, machine info (username, computer name, OS name, CPU architecture, RAM)
- Runs a heavily obfuscated executable file designed to collect wireless profile credentials from compromised computers by issuing a netsh command with a wlan show profile argument for listing all available WiFi profiles
- Sends stolen credentials or information via email or remote file transfer
Capabilities
- Information Theft
- Backdoor commands
Impact
- Violation of user privacy - gathers user credentials, logs keystroke and steals user information
- Compromise system security - with backdoor capabilities that can execute malicious commands
Additional Threat Reference Information
Sample Spam (Invoice Attachment)
Infection Chain
MITRE ATT&CK Matrix
| BEHAVIOR | TACTIC | TECHNIQUE |
|---|---|---|
| Malware arrives as a purchase order or invoice attachment. | Initial Access | T1566.001 Phishing: Spearphishing Attachment |
| Victim is lured into opening the attachment. | Execution | T1204.002 User Execution: Malicious File |
| Drops a copy of itself and a .TMP file | Defense Evasion | T1027 Obfuscated Files or Information |
| Creates a scheduled task | Execution, Persistence | T1053.005 Scheduled Task/Job: Scheduled Task |
| Disable Task Manager | Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
| Gather data and credentials | Discovery Credential Access | T1082 System Information Discovery T1087 Account Discovery T1555 Credentials from Password Stores T1056.001 Input Capture: Keylogging |
| Send stolen information via email or FTP | Exfiltration | T1048 Exfiltration Over Alternative Protocol |
Available Solutions
| Solution Modules | Solution Available | Pattern Branch | Release Date | Detection/Policy/Rules |
|---|---|---|---|---|
| Email Protection | Yes | AS Pattern 5532 | July 9, 2020 | - |
| URL Protection | Yes | In the Cloud | - | - |
| Advanced Threat Scan Engine (ATSE) | Yes | 15.953.00 | July 10, 2020 | - |
| Predictive Machine Learning | Yes | In the Cloud | - | Troj.Win32.TRX.XXPE50FFF036 |
| File detection (VSAPI) | Yes | ENT OPR 15.948.00 | June 23, 2020 | TrojanSpy.MSIL.NEGASTEAL.DYSGWR TrojanSpy.MSIL.NEGASTEAL.DYSGVT TrojanSpy.MSIL.NEGASTEAL.GWI |
