Get best of the week

Threat Spotlight: Neshta File Virus

Salute, Khabrovites! In anticipation of the start of the course "Reverse Engineering 2.0" we want to share with you another interesting translation.



Short review


Neshta is a fairly old file virus that is still widespread. It was originally discovered in 2003 and was previously associated with BlackPOS malware. It adds malicious code to infected files. Basically, this threat enters the environment through unintentional downloads or other malicious programs. It infects Windows executable files and can attack network resources and removable media.

In 2018, Neshta focused primarily on manufacturing, but also attacked the financial, consumer and energy sectors. For stability reasons, Neshta renames itself to svchost.com, and then modifies the registry so that it starts every time the .exe file is launched. It is known that this threat collects system information and uses POST requests to exfiltrate data on servers controlled by attackers. The Neshta binaries used in our analysis did not demonstrate data exfiltration behavior or functionality.

Technical analysis


This section describes the symptoms of Neshta infection. We took virus samples uploaded to VirusTotal in 2007, 2008 and 2019.

We analyzed files with the following SHA-256 hashes:

  • 29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a
  • 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
  • 539452719c057f59238e123c80a0a10a0b577c4d8af7a5447903955e6cf7aa3d
  • a4d0865565180988c3d9dbf5ce35b7c17bac6458ef234cfed82b4664116851f2
  • 46200c11811058e6d1173a2279213d0b7ccde611590e427b3b28c0f684192d00
  • c965f9503353ecd6971466d32c1ad2083a5475ce64aadc0b99ac13e2d2c31b75


Static file analysis


Neshta code compiled with Borland Delphi 4.0. The file size is usually 41,472 bytes.

Like any Delphi binary, Neshta has four writable (DATA, BSS, .idata and .tls) and three shared sections (.rdata, .reloc and .rsrc):


Figure 1. Features of the section headers .

In addition, the Neshta code shows interesting lines - see Figure 2 below:

“Delphi-the best. F *** off all the rest. Neshta 1.0 Made in Belarus. We are holding the ~ Tsikav ~ Belarus_kim jiauchatam. Alyaksandr Rygoravich, you are a taxama :) Vosen-kepsky couple ... Alivarya - make beer! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas] ”
(“ Delphi is the best. The rest go to ***. Neshta 1.0 Made in Belarus. Hello to all ~ interesting ~ Belarusian girls. Alyaksandr Grigoryevich, you too :) Autumn is a bad couple ... Alivaria is the best beer! Best wishes for Tommy Salo. [November 2005] your [Grandpa Apanas]) "



Figure 2: Interesting lines in the body of the virus

File infection


The main feature of Neshta is a file intruder that searches for .exe files on local drives. Neshta targets ".exe" files, excluding only those that contain any of the following lines in their shortcut:

  • % Temp%
  • % SystemRoot% (usually C: \ Windows)
  • \ PROGRA ~ 1 \


A summary of the infection process is described below and in Figure 3.

Neshta:

  1. Reads 41,472 (0xA200) bytes from the beginning of the target source file.
  2. Creates two partitions and allocates memory with the PAGE_READWRITE attribute at the beginning and end of the source file.
  3. Puts its malicious header and code at the beginning of the source file. The recorded data is 41,472 bytes.
  4. Writes the encoded source header and code to a file that is 41.472 bytes in size.


These actions allow you to run malicious code immediately after launching the infected file:


Figure 3: File infection

When the infected file is launched, the source program is placed in %Temp%\3582-490\<filename>and launched using the WinExec API.

Sustainability


Neshta puts itself in C:\Windows\svchost.comand installs itself in the registry using the following parameters:

Registry key: HKLM \ SOFTWARE \ Classes \ exefile \ shell \ open \ command
Registry value: (Default)
Value: %SystemRoot%\svchost.com "%1" %*
This registry change tells the system to start Neshta every time .exe is run. file. "% 1"% * indicates the running .exe file. In addition, Neshta creates a named mutex to check for the existence of another working instance:

MutexPolesskayaGlush*.*<0x90>svchost.com<0x90>exefile\shell\open\command‹À "%1" %*œ‘@

Another injected file is “directx.sys”, which is sent to% SystemRoot%. This is a text file (not a kernel driver) that contains the path to the last infected file to run. It is updated every time an infected file is executed.

BlackBerry Cylance stops Neshta


BlackBerry Cylance uses AI-based agents trained to detect threats on millions of both safe and insecure files. Our automated security agents block Neshta based on a variety of file attributes and malicious behavior, rather than relying on a specific file signature. BlackBerry Cylance, which offers a predictive advantage over zero-day threats, is trained and effective against new and known cyber attacks. For more information, visit https://www.cylance.com .

application


Compromise Indicators (IOCs)


  • Hashes

29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a o
o 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
o 539452719c057f59238e123c80a0a10a0b577c4d8af7a5447903955e6cf7aa3d
o a4d0865565180988c3d9dbf5ce35b7c17bac6458ef234cfed82b4664116851f2
o 46200c11811058e6d1173a2279213d0b7ccde611590e427b3b28c0f684192d00
o c965f9503353ecd6971466d32c1ad2083a5475ce64aadc0b99ac13e2d2c31b75

  • File names

o% SystemRoot% \ svchost.com
o% SystemRoot% \ directx.sys
o% Temp% \ tmp5023.tmp

  • C2s / IPs
  • Mutexes

o MutexPolesskayaGlush *. * <0x90> svchost.com <0x90> exefile \ shell \ open \ command ‹À"% 1 "% * œ '@

  • Interesting lines

o Delphi-the best. F ** k off all the rest. Neshta 1.0 Made in Belarus. We are holding the ~ Tsikav ~ Belarus_kim jiauchatam. Alyaksandr Rygoravich, you are a taxama :) Vosen-kepsky couple ... Alivarya - make beer! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]

sha25629fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a
a typepe32 executable (gui) intel 80386, for ms windows
the size41472
timestamp1992: 06: 20 07: 22: 17 + 09: 00
itwsvchost [.] com


Learn more about the course.

More articles:


All Articles