Author: Shashank Jain
TLP: WHITE
From 5 to 15 March, Infoblox observed a malspam campaign distributing Neshta malware. Neshta is a computer virus that steals sensitive data by injecting malicious code into target executable files. Neshta is also capable of downloading other malware.
First observed in 2003 and previously associated with BlackPOS malware,1 Neshta is still prevalent in the wild.
The threat actors behind the latest variant of Neshta exploit CVE-2017-11882,2 an old Microsoft Office memory corruption vulnerability that enables them to deliver the malware via email, web, or USB devices.3
This variant can capture keystrokes, mouse movements, clipboard contents, audio data captured by the microphone, and screen snapshots. It can also establish persistence by inserting itself into the system boot loader and modifying the system registry.
A typical email from this campaign has the subject line “Wire Transfer 5100 Usd” or “Remittance Debit Note” and includes a weaponized attachment, bn.xlxs.
The sender information for the emails appears to belong to Shanyrak Management Company: a Kazakh company that specializes in agriculture. It is not clear whether the threat actors hijacked the company’s email servers, or whether they found another way to mimic company messages.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://blogs.blackberry.com/en/2019/10/threat-spotlight-neshta-file-infector-endures
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882
- https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild
