By Matthew Camacho, Raphael Centeno, and Junestherry Salvador
We recently encountered a Negasteal (also known as Agent Tesla) variant that used hastebin for the fileless delivery of the Crysis (also known as Dharma) ransomware. This is the first time that we have observed Negasteal with a ransomware payload.
Only a few months ago, Deep Instinct published the first reported case of a Negasteal variant that used hastebin[.]com, a paste site for online content. Negasteal is a spyware trojan that was discovered in 2014. It offers its services in the form of paid subscriptions in cybercriminal underground forums, with its developers constantly making changes to improve its evasion tactics and remain relevant in their market.
This is the first time that we have observed these two malware services being used together. According to the sample that we encountered, the variant arrives through a phishing email, as seen in Figure 1.
Figure 1. An image of the phishing email that was used
As part of its evasion tactics, it tries to exclude itself from debugging by Windows Defender, which it can also try to disable as a possible alternative evasion method. These tactics are shown in Figures 2 and 3.
Figure 2. The malware excludes itself from being debugged.
Figure 3. The malware disables Windows Defender.
For persistence, it adds itself to the startup folder and CurrentVersion\Run. Eventually, the loader will connect to “hastebin[.]com” and decode the binary (Crysis) from the command-and-control (C&C) server, thereby allowing fileless delivery of the ransomware.
Figure 4. A snippet of the malware adding itself to the startup folder
Figure 5. The malware connects to hastebin[.]com
Figure 6. The Crysis ransomware payload
This campaign shows the potential of Negasteal to deliver other malware filelessly through its hastebin C&C server. The combination of these two active malware services demonstrates how cybercriminals can cobble together accessible malware in hopes of a successful campaign. Fileless delivery also adds a further challenge in removing this threat, as it leaves no trace after execution.
For organizations, following security best practices will help minimize the success of similar campaigns. As with this campaign, stopping threats from their initial entry can prevent larger problems caused by their payloads. In this case, the campaign has a ransomware payload that can encrypt important files and freeze operations.
Here are some general security practices to implement:
Secure email gateways. Secured email gateways thwart threats that are delivered via spam and phishing. They also help users to avoid opening suspicious emails and attachments.