Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Negasteal Malware Information

    • Updated:
    • 21 Jan 2020
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector 3.1
    • Deep Discovery Inspector 5.5
    • Deep Security 12.0
    • InterScan Messaging Security Suite 9.1
    • Interscan Web Security Virtual Appliance 6.5
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Advanced 10.0
    • Platform:
    • N/A N/A
Summary

The Negasteal malware first appeared in 2017 with the same command and control panel and communication protocol features of Agent Tesla which first appeared in 2015.

The current malspam campaign utilizes social engineering in which the email contains product inquiry or purchase order inquiry sent to marketing officers of different companies. A version of Negasteal malware which is compiled by AutoIT was delivered via email to steal credentials and log keystrokes from various Windows applications. The AutoIt is a scripting language intended to automate basic tasks in Windows graphical user interface (GUI), to obfuscate malware binary and evade security detection.

Another version of Negasteal used removable drives as new delivery vector to steal credentials from applications FTPGetter and Becky! Internet Mail. This Trojan-Spyware sends the data it gathers from its victims to the email address of the malware author via Simple Mail Transfer Protocol (SMTP).

This Trojan-Spyware gathers the following data and sends it to its servers:

  • Computer information (OS version, computer name, OS version platform, IP address, user name, physical memory size)
  • Hardware information (processor name, video card name, video card memory)
  • Browser's user names and passwords
  • File Transfer Protocol (FTP) clients or file manager software stored account information
  • Email credentials of popular mail clients

Capabilities

  • Information Theft

Impact

  • Violation of user privacy - gathers user credentials, logs keystroke and steals user information

Additional Reference

Infection Chain

MITRE ATT&CK MATRIX

BEHAVIORTACTICTECHNIQUE
Arrives as purchase order attachment spam mailsInitial AccessT1193: Spear Phishing Attachment
User is bait to click archive attachment and malicious file is runExecutionT1204: User Execution
Obfuscates malware binaryDefense EvasionT1027: Obfuscated Files or Information
Steals personal and financial information by using keylogger techniquesCollectionT1056: Input Capture
Stolen information is sent via SMTPExfiltrationT1071: Standard Application Layer Protocol

Sample Spam - Purchase order attachment

Detection Coverage

File Reputation

Detection/Policy/RulesPattern Branch/VersionRelease Date
TrojanSpy.Win32.NEGASTEAL.DOCDU15.243.00July 18, 2019
TrojanSpy.MSIL.NEGASTEAL.BF
TrojanSpy.MSIL.NEGASTEAL.SMK15.624.00January 16, 2020
TrojanSpy.MSIL.NEGASTEAL.KCW
Trojan.AutoIt.NEGASTEAL.A
TrojanSpy.W97M.NEGASTEAL.AB
TrojanSpy.Win32.NEGASTEAL.DOCIM
TrojanSpy.Win32.NEGASTEAL.B

Predictive Machine Learning

DetectionPattern Branch/Version
Troj.Win32.TRX.XXPE50FFF033In-the-cloud
Troj.Win32.TRX.XXPE50FFF034

Web Reputation

DetectionPattern Branch/Version
URL ProtectionIn-the-cloud

Email Protection

Pattern Branch/VersionRelease Date
AS Pattern 5170January 15, 2020

Advance Threat Scan Engine (ATSE)

Pattern Branch/VersionRelease Date
15.623.00January 15, 2020

Network Pattern

Detection/Policy/RulesPattern Branch/VersionRelease Date
NEGASTEAL – HTTP (Request)NCCP 1.13857.00October 23, 2019
NEGASTEAL – SMTP (Request)NCCP 1.13931.00
Details
Public

Solution Map - What should customers do?

Trend Micro SolutionMajor ProductLatest VersionVirus PatternAnti-Spam PatternNetwork PatternPredictive Machine LearningWeb Reputation




Endpoint Security
ApexOne2019



Update pattern via web console



Not Applicable
Update pattern via web console



Enable Predictive Machine Learning




Enable Web Reputation Service and update pattern via web console
OfficeScanXG (12.0)


Not Applicable

Worry-Free Business Security
Standard (10.0)
Advanced (10.0)Update pattern via web console
Hybrid Cloud SecurityDeep Security12.0Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console





Email and Gateway Security
Deep Discovery Email Inspector3.5




Update pattern via web console





Update pattern via web console
Update pattern via web console




Not Applicable




Enable Web Reputation Service and update pattern via web console
InterScan Messaging Security9.1


Not Applicable
InterScan Web Security6.5
ScanMail for Microsoft Exchange14.0
Network SecurityDeep Discovery Inspector5.5Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableEnable Web Reputation Service and update pattern via web console

Recommendation

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1123283
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.