TrojanSpy.PS1.NEGASTEAL.FBV

 Analysis by: Francesca Villasanta

 ALIASES:

Trojan.PS.Agent (IKARUS); PowerShell/TrojanDownloader.Agent.HGV trojan (NOD32)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

  TECHNICAL DETAILS

File Size:

6,490,261 bytes

File Type:

PS1

Memory Resident:

No

Initial Samples Received Date:

04 Sep 2023

Payload:

Collects system information, Connects to URLs/IPs, Steals information, Disables AV, Modifies system registry

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following files:

  • %ProgramData%\TUKHAMTASSER\Sexology.~!!!!!!!!!!!!!!!!~ ← deleted afterwards
  • %ProgramData%\TUKHAMTASSER\NIKKIL_LORY.vbs ← later moved to %User Startup%\NIKKIL_LORY.vbs
  • %System Root%\drivers\etc\hosts

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It adds the following processes:

  • "%System%\net.exe" user {Malware Created User} /add
  • "%System%\net.exe" user {Malware Created User} {Password}
  • "%System%\net.exe" localgroup administrators {Malware Created User} /add
  • "%System%\net.exe" localgroup "Remote Desktop Users" {Malware Created User} /add
  • "%System%\net.exe" stop WdNisSvc
  • "%System%\netsh.exe" advfirewall set allprofiles state off
  • "%System%\schtasks.exe" /create /sc MINUTE /mo 187 /tn clomepe /F /tr "wscript /nologo %ProgramData%\TUKHAMTASSER\NIKKIL_LORY.vbs"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It creates the following folders:

  • %ProgramData%\TUKHAMTASSER

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It executes then deletes itself afterward.

Other System Modifications

This Trojan Spy adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Classes\
CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
(Default) = C:\IDontExist.dll

It adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Classes\
CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}

HKEY_CURRENT_USER\Software\Classes\
CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32

Process Termination

This Trojan Spy terminates the following services if found on the affected system:

  • WdNisSvc
  • WinDefend

Information Theft

This Trojan Spy gathers the following data:

  • Computer Name
  • User Name
  • CPU Information
  • RAM Information
  • Network Adapter Configuration
  • IP Address
  • Current time
  • It gathers credentials from the following:
    • Browsers (User Data):
      • 360 Browser
      • 7Star
      • Amigo
      • BlackHawk
      • Brave
      • CentBrowser
      • Chedot
      • Chrome
      • Chromium
      • Citrio
      • Coccoc
      • Comodo Dragon
      • Cool Novo
      • Coowon
      • CyberFox
      • Edge Chromium
      • Elements Browser
      • Epic Privacy
      • Falkon Browser
      • Firefox
      • Flock
      • Flock Browser
      • IceCat
      • IceDragon
      • IE/Edge
      • Iridium Browser
      • K-Meleon
      • Kometa
      • Liebao Browser
      • Opera Browser
      • Orbitum
      • PaleMoon
      • QIP Surf
      • QQ Browser
      • Safari for Windows
      • SeaMonkey
      • Sleipnir 6
      • Sputnik
      • Torch Browser
      • UC Browser
      • Uran
      • Vivaldi
      • WaterFox
      • Yandex
    • Email Clients:
      • Becky!
      • Claws Mail
      • eM client
      • Eudora
      • Foxmail
      • IncrediMail
      • Mailbird
      • Opera Mail
      • Outlook
      • Pocomail
      • Postbox
      • The Bat!
      • Thunderbird
      • Windows Mail App
    • FTPs:
      • cftp
      • CoreFTP
      • FileZilla
      • FlashFXP
      • FTP Commander
      • FTP Getter
      • FTP Navigator
      • SmartFTP
      • WinSCP
      • WS_FTP
    • VPNs:
      • NordVPN
      • OpenVPN
      • Private Internet Access
    • Instant Messaging Applications:
      • Discord
      • Psi/Psi+
      • Trillian
    • Other Applications:
      • Internet Download Manager
      • Jdownloader 2.0
      • MySQL Workbench
      • Apple Keychain
    • VNCs:
      • RealVNC 4.x
      • RealVNC 3.x
      • TightVNC
      • TigerVNC
      • UltraVNC
    • Vault:
      • Web Credentials
      • Windows Credential Picker Protector
      • Windows Credentials
      • Windows Domain Certificate Credential
      • Windows Domain Password Credential
      • Windows Extended Credential
      • Windows Secure Note
      • Windows Web Password Credential

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

  • https://{BLOCKED}d.com/api/webhooks/1147617604740075550/qMN4dDXG-qUd5FVw6gluS-KM8pkIs8V5dUDV8yLhHwfqs5x6Q7TeJE-qmCsn9sgTZSpX

Other Details

This Trojan Spy connects to the following URL(s) to get the affected system's IP address:

  • https://{BLOCKED}ify.org

It does the following:

  • It bypasses Antimalware Scan Interface (AMSI).
  • It terminates, disables, and deletes the Windows Defender service if found running.
  • It utilizes net.exe to create a user and add this to two local groups:
    • administrators
    • Remote Desktop Users
  • It turns off the Windows Firewall for all network profiles.
  • It modifies Windows Defender's settings:
    • Adds the following to the exclusion preference:
      • File Extensions:
        • .bat
        • .ppam
        • .xls
        • .docx
        • .bat
        • .exe
        • .vbs
        • .js
      • Paths:
        • C:\
        • D:\
        • E:\
      • Processes:
        • explorer.exe
        • kernel32.dll
        • aspnet_compiler.exe
        • cvtres.exe
        • CasPol.exe
        • csc.exe
        • Msbuild.exe
        • ilasm.exe
        • InstallUtil.exe
        • jsc.exe
        • Calc.exe
        • powershell.exe
        • rundll32.exe
        • conhost.exe
        • Cscript.exe
        • mshta.exe
        • cmd.exe
        • DefenderisasuckingAntivirus
        • wscript.exe
      • IP Address:
        • 127.0.0.1
    • Configures the following:
      • Threat ID Default Action
      • Attack Surface Reduction (ASR) rules
      • Default action for high-threat items
      • Default action for moderate-threat items
      • Default action for low-threat items
      • Default action for severe-threat items
    • Disables:
      • Intrusion Prevention System
      • Information Protection feature
      • Real-time monitoring
      • Scanning of scripts for malware or malicious content
      • Controlled folder access
      • Reporting to the Microsoft Active Protection Service (MAPS)
      • Sample submissions to Microsoft
      • Protection against Potentially Unwanted Applications (PUAs)
      • Scheduled scans
    • Enables:
      • Audit mode for Network Protection

It adds the following scheduled tasks:

  • Task Name: clomepe
    Trigger: every 187 minutes
    Task Action: %ProgramData%\TUKHAMTASSER\NIKKIL_LORY.vbs

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

  SOLUTION

Minimum Scan Engine:

9.800

FIRST VSAPI PATTERN FILE:

18.762.04

FIRST VSAPI PATTERN DATE:

17 Oct 2023

VSAPI OPR PATTERN File:

18.763.00

VSAPI OPR PATTERN Date:

18 Oct 2023

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Identify and terminate files detected as TrojanSpy.PS1.NEGASTEAL.FBV

[ Learn More ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 5

Deleting Scheduled Tasks while in Safe Mode

  1. Still in safe mode, the following {Task Name}-{Task to be run} listed should be used in the steps identified below:
    • Task Name: clomepe
    • Task to be run: %ProgramData%\TUKHAMTASSER\NIKKIL_LORY.vbs
  2. For Windows 7 and Server 2008 (R2) users, click Start>Computer.
    • For Windows 8, 8.1, 10, and Server 2012 users, right-click on the lower left corner of the screen, then click File Explorer.
  3. In the Search Computer/This PC input box, type:
    • %System%\Tasks\{Task Name}
  4. Once located, select the file then press SHIFT+DELETE to delete it.
  5. Open Registry Editor. To do this:
    • For Windows 7 and Server 2008 (R2) users, click the Start button, type regedit in the Search input field, and press Enter.
    • For Windows 8, 8.1, 10, and Server 2012 (R2) users, right-click on the lower left corner of the screen, click Run, type regedit in the text box
  6. In the left panel of the Registry Editor window, double-click the following:
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Schedule>TaskCache>Tree>{Task Name}
  7. Locate the created entry and take note of the registry value's data:
    • ID={Task Data}
  8. After taking note of the data, delete the registry key:
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Schedule>TaskCache>Tree>{Task Name}
  9. In the left panel of the Registry Editor window, double-click the following:
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Schedule>TaskCache>Tasks
  10. Still in the left panel, locate and delete the registry key with the same name as the located Task Data in step #6:
    • ={Task Data}
  11. Close Registry Editor.

Step 6

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

  • In HKEY_CURRENT_USER\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}

Step 7

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %ProgramData%\TUKHAMTASSER\Sexology.~!!!!!!!!!!!!!!!!~
  • %ProgramData%\TUKHAMTASSER\NIKKIL_LORY.vbs
  • %User Startup%\NIKKIL_LORY.vbs
  • %System Root%\drivers\etc\hosts

Step 8

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %ProgramData%\TUKHAMTASSER

Step 9

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TrojanSpy.PS1.NEGASTEAL.FBV. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.