Neurevt Trojan in Action
Share this:
Researchers spotted the new version of the Trojan, which now comes with spyware and backdoor capabilities. Attackers can gain access to the victim’s system and modify its settings to conceal their presence. The malware can also take screenshots of the victim’s monitor.
Neurevt, also known as Betabot, is a multifunctional Trojan written in C++ that was first spotted in 2013. It’s a sophisticated infostealer that has evolved significantly. Started has banking trojan more features are added for taking the victim machine and steal
The malware starts infecting victims using an obfuscated PowerShell command that further downloads an executable file belonging to the Neurevt family, which then drops executable scripts and files into the folders that it creates during runtime.
The source of the PowerShell command, but they say it’s likely a Microsoft Office document or JavaScript code. As in stage one, the attacker attempts to bypass the PowerShell execution policy of the compromised endpoint and creates a new Google Chrome web client object to connect to a domain saltoune[.]xyz and download an executable file.
The dropped payload ends up in a benign location of the file system and runs, thereby elevating its privilege by stealing service token information. It executes the following stages of the dropped executable file, which installs hook procedures to monitor keystrokes and mouse input events. It captures the monitor screen and clipboard information
Neurevt detects the virtualized and debugger environment, disables the firewall and modifies the internet proxy settings in the victim’s machine to evade detections and thwart analysis.
Instead of calling known APIs for HTTP communication, the malware uses System.Web Namespace and includes HTTP classes to enable the browser-server communication with the C2 server to exfiltrate the data. The malware uses Namespace to enable the browser-server communication to the C2 server with a Nginx web server for exfiltration.
The malware has additional functions, including checking the operating system, enumerating system drivers and currently available disk drives with the victim’s machine, gathering information about the disk drives or directories on the system, detecting the Java Runtime Environment version, retrieving keyboard layout lists and enumerating user location information.
