The trojan malware Neurevt is back in a new version as an infostealer with spyware and backdoor capabilities
About the threat:
The Neurevt trojan malware has been around for some time now. This newer version is a refinement of the earlier one and has sophisticated spyware and backdoor capabilities. Being an infostealer, Neurevt exfiltrates user credentials like username and password as well as other intellectual information. It is also capable of capturing screenshots of the infected system.
Neurevt is called sophisticated for good reason. It enters the infected system impersonating a legitimate update and quickly creates a folder with executable files. During its initial infiltration it renames the newly created folder containing the executable files, which itself is password protected. After installing the executable files, the trojan deletes all executable files and the folders it created.
Other names / aliases:
Neurevt Trojan also goes by the alias Betabot.
Our Analysis of the Modus Operandi
Analysts from SecneurX have analysed the Neurevt malware based on artifacts acquired from the wild. These artifacts were analysed using SecneurX Advanced Dynamic Malware Analysis Platform. Along with this article we have included IOC’s (Indicators of Compromise) and malware’s behavioural analysis report that comes in handy for SOC / Security Analysts.
In this article we will use one of the analyzed artifact (86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595) and explain the behaviour of the malware.
Malware Process Flow
The below image showcases the execution flow of the sample artifact. The detailed analysis of each step is explained in the next section.
Malware execution sequence:
The artifact when executed creates a folder “C:\LMPupdate\set“ and extracts executable and batch files. The extracted files are of .exe, .bat and .rar extensions. Figure 1 below shows the extracted contents.
Figure.1 Files and scripts extracted by malware
The Malware uses inbuilt Microsoft Windows Based Script to launch the vb script which in turn launches the bat file. In this sample the vbs script "C:\LMPupdate\set\435246.vbs" launches the Bat file “183.bat”.
Figure 2 shows the contents of 435246.vbs script showing the process creation of the batch file.
Figure 2: Content of 435246.vbs
The “183.bat” file extracts the password protected rar (43939237cx.rar) file to the same path and then executes the extracted “3980392CV.vbs” and deletes itself and the rar file. Figure 3 and 4 shows the contents of 183.bat and extracted 43939237cx.rar file.
Figure 3: Content of 183.bat
Figure 4: Files and scripts inside in 43939237cx.rar
The Bat file 48551.bat extracts 43939237cx.rar file and launches xc829374091FD.exe.
After launching the executable it deletes all files in the folder and then it deletes the folder to erase its footprints.
Figure 5: Content of 48551.bat
The executable xc829374091FD.exe initiates explorer.exe process and an executable file (k77saes3u.exe) is dropped in the directory C:\Users\ADMINI~1\AppData\Local\Temp\k77saes3u.exe. This executable when launched communicates with Command & Control. Figure 6 shows the process flow of 48551.bat.
Figure 6: Process flow of 48551.bat
The final payload has the following capabilities
Exfiltration of user account information
Exfiltration of system information
Ability to capture screenshots
Figure 7, 8 and 9 shows the code snippet of the above capabilities
Figure 7: Getting User account information
Figure 8: Reading logical drive information
Figure 9: Screen capturing functionality
Below is the screenshot of the network communication of this malware to the CNC russk18[.]icu
Figure 10: Network packet screenshot showing CNC Communication
Indicator of Compromise
How can you validate if your security controls can protect you against this malware?
Every month SecneurX releases the top prevalent malware that was active during the period. Penataur will automatically validate if your security controls can prevent this malware. We released this Neurevt strain as part of the Windows threat June 2021 suite of Penataur - Continuous Security Validation Platform.