Account Takeover Fraud , Cybercrime , Fraud Management & Cybercrime

'Neurevt' Trojan Targets Mexican Bank Customers

Updated Malware Now Includes Spyware and a Backdoor
'Neurevt' Trojan Targets Mexican Bank Customers
Overview of Neurevt execution flow (Source: Cisco)

Researchers at the security firm Cisco Talos have spotted an ongoing campaign using an updated variant of the "Neurevt" Trojan to target customers of financial institutions in Mexico.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

In June, researchers spotted the new version of the Trojan, which now comes with spyware and backdoor capabilities. Using this latest version, attackers can gain access to the victim's system and modify its settings to conceal their presence. The malware can also take screenshots of the victim's monitor, the researchers say.

"The Trojan will access the victim's system service tokens and elevate its privilege, thereby accessing the operating system, user's account information and credentials of banking websites; capture screenshots and connect to the C2 servers to steal intellectual property and personal information," the researchers say.

The Trojan is capable of stealing usernames and passwords. It can also target individual users and organizations, leading to a data breach or reputational damage that eventually results in a loss of financial value, they say.

Neurevt, also known as Betabot, is a multifunctional Trojan written in C++ that was first spotted in 2013. It's a sophisticated infostealer that has evolved significantly, the researchers point out.

The malware began as a banking Trojan. Over time, the operators behind it started adding features that allowed them to take over a victim’s machine and steal sensitive information, Cisco Talos reports.

Technical Analysis

The malware starts infecting victims using an obfuscated PowerShell command that further downloads an executable file belonging to the Neurevt family, which then drops executable scripts and files into the folders that it creates during runtime.

The researchers note, however, that they could not locate the source of the PowerShell command, but they say it's likely a Microsoft Office document or JavaScript code. As in stage one, the attacker attempts to bypass the PowerShell execution policy of the compromised endpoint and creates a new Google Chrome web client object to connect to a domain saltoune[.]xyz and download an executable file.

Researchers found that the domain saltoune[.]xyz was created on June 21 and registered with NameCheap, based in Reykjavik, Iceland. The serving IP address of the domain saltoune[.]xyz is 162[.]213[.]251[.]176, which has been detected as malicious by five security vendors in VirusTotal.

"The dropped payload ends up in a benign location of the file system and runs, thereby elevating its privilege by stealing service token information. It executes the following stages of the dropped executable file, which installs hook procedures to monitor keystrokes and mouse input events. It captures the monitor screen and clipboard information," the researchers note.

In addition, Neurevt detects the virtualized and debugger environment, disables the firewall and modifies the internet proxy settings in the victim's machine to evade detections and thwart analysis.

"Instead of calling known APIs for HTTP communication, the malware uses System.Web Namespace and includes HTTP classes to enable the browser-server communication with the C2 server to exfiltrate the data," the researchers say.

The malware uses Namespace to enable the browser-server communication to the C2 server with a Nginx web server for exfiltration. "The HTTP backdoor method is used by placing the information from the compromised machine into the data section of the HTTP POST request to the domains russk18[.]icu and moscow13[.]at," according to Cisco Talos.

The malware has additional functions, including checking the operating system, enumerating system drivers and currently available disk drives with the victim's machine, gathering information about the disk drives or directories on the system, detecting the Java Runtime Environment version, retrieving keyboard layout lists and enumerating user location information, according to the researchers.


Researchers recommend organizations and individuals keep their systems updated with the latest security patches for operating systems and applications and enable multifactor authentication on their accounts.

"Organizations and defenders can take proactive measures to mitigate the risk of infection and data theft, such as restricting users accessing suspicious websites and downloading malicious contents,” the researchers note.

The researchers also encourage implementation of role-based access controls for the use of Windows administrative tools, a PowerShell execution policy and blocking of suspicious IP addresses, domains and network traffic from C2.

Individuals are also advised to install the latest updates for operating systems and applications and to use antivirus scan engines. "Automatic execution of browser scripts should be disabled. Users should be careful while accessing websites that download their contents to their computer's file system," the researchers note.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.