Neurevt Trojan in Action
Researchers spotted the new version of the Trojan, which now comes with spyware and backdoor capabilities. Attackers can gain access to the victim’s system and modify its settings to conceal their presence. The malware can also take screenshots of the victim’s monitor.
Neurevt, also known as Betabot, is a multifunctional Trojan written in C++ that was first spotted in 2013. It’s a sophisticated infostealer that has evolved significantly. Started has banking trojan more features are added for taking the victim machine and steal
The malware starts infecting victims using an obfuscated PowerShell command that further downloads an executable file belonging to the Neurevt family, which then drops executable scripts and files into the folders that it creates during runtime.
The dropped payload ends up in a benign location of the file system and runs, thereby elevating its privilege by stealing service token information. It executes the following stages of the dropped executable file, which installs hook procedures to monitor keystrokes and mouse input events. It captures the monitor screen and clipboard information
Neurevt detects the virtualized and debugger environment, disables the firewall and modifies the internet proxy settings in the victim’s machine to evade detections and thwart analysis.
Instead of calling known APIs for HTTP communication, the malware uses System.Web Namespace and includes HTTP classes to enable the browser-server communication with the C2 server to exfiltrate the data. The malware uses Namespace to enable the browser-server communication to the C2 server with a Nginx web server for exfiltration.
The malware has additional functions, including checking the operating system, enumerating system drivers and currently available disk drives with the victim’s machine, gathering information about the disk drives or directories on the system, detecting the Java Runtime Environment version, retrieving keyboard layout lists and enumerating user location information.