Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Negasteal variant capable of stealing WiFi credentials

    • Updated:
    • 17 Dec 2020
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector 5.0
    • Deep Discovery Inspector 5.5
    • Deep Security 12.0
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

Negasteal, also known as AGENT TESLA is an information stealer malware written in Microsoft’s .NET language with keylogging and remote access Trojan (RAT) capabilities. It was discovered in 2014 and has been used in various malicious campaigns ever since. It has been known to send stolen information either through web panel, file transfer protocol (FTP) or simple mail transfer protocol (SMTP). A previous version of the malware was compiled in AutoIT to obfuscate malware binary and evade security detection, and another version is capable of spreading the malware through the use of removable drives.

In recent malspam campaigns that utilizing social engineering such as COVID-19 themed spam, or email that contains purchase orders or invoices, a new variant of the NEGASTEAL malware was found as an attachment. The executable file usually arrived in an archived or compressed file like ZIP or RAR. This variant, aside from able to steal machine information, data in browsers, email client or FTP credentials and user credentials, it has now a new module for getting the WiFi profile or credential. The stolen information will be sent via email or FTP. With this new feature, the cybercriminals have the ability to spread or create an entry vector through the victim’s network.

Behaviour

  • Creates a scheduled task to execute the NEGASTEAL payload
  • Disables Task Manager through the registry using reg.exe
  • Collects information about the system including FTP clients, browsers, file downloads, machine info (username, computer name, OS name, CPU architecture, RAM)
  • Runs a heavily obfuscated executable file designed to collect wireless profile credentials from compromised computers by issuing a netsh command with a wlan show profile argument for listing all available WiFi profiles
  • Sends stolen credentials or information via email or remote file transfer

Capabilities

  • Information Theft
  • Backdoor commands

Impact

  • Violation of user privacy - gathers user credentials, logs keystroke and steals user information
  • Compromise system security - with backdoor capabilities that can execute malicious commands

Additional Threat Reference Information

Sample Spam (Invoice Attachment)

Infection Chain

MITRE ATT&CK Matrix

BEHAVIORTACTICTECHNIQUE
Malware arrives as a purchase order or invoice attachment.Initial AccessT1566.001 Phishing: Spearphishing Attachment
Victim is lured into opening the attachment.ExecutionT1204.002 User Execution: Malicious File
Drops a copy of itself and a .TMP fileDefense EvasionT1027 Obfuscated Files or Information
Creates a scheduled taskExecution, PersistenceT1053.005 Scheduled Task/Job: Scheduled Task
Disable Task ManagerDefense EvasionT1562.001 Impair Defenses: Disable or Modify Tools
Gather data and credentialsDiscovery
Credential Access
T1082 System Information Discovery
T1087 Account Discovery
T1555 Credentials from Password Stores
T1056.001 Input Capture: Keylogging
Send stolen information via email or FTPExfiltrationT1048 Exfiltration Over Alternative Protocol
Details
Public

Available Solutions

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 5532July 9, 2020-
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes15.953.00July 10, 2020-
Predictive Machine LearningYesIn the Cloud-Troj.Win32.TRX.XXPE50FFF036
File detection (VSAPI)YesENT OPR 15.948.00June 23, 2020TrojanSpy.MSIL.NEGASTEAL.DYSGWR
TrojanSpy.MSIL.NEGASTEAL.DYSGVT
TrojanSpy.MSIL.NEGASTEAL.GWI
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283374
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.