| Name | Neshta |
| Additional Names | Win32:Crypt-SKC [Trj] (Avast), Win32.Neshta.A (BitDefender), Virus.Win32.Neshta.a (Kaspersky) |
| Type of Malware | File Infector |
| Location – Country of Origin | Europe |
| Date of initial activity | 2010 |
| Associated Groups | BlackEnergy, Sandworm, Sofacy |
| Motivation | Neshta uses infected files to collect various system information relating to the operating system, hardware, and installed software. Collected data is then sent to a remote server and criminals can easily use it to generate revenue in malicious ways, thereby causing a variety of privacy issues. |
| Attack Vectors | Email, Downloads, USB drives, Network shares, Malvertising |
| Targeted System | Windows |
Overview
Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltarates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.
Targets
Mainly used to attack companies that specialize in finance, consumer goods, and energy. It is also used to attack the manufacturing industry.
Tools/ Techniques Used
Cyber criminals distribute this malware through other malware or infected files that people download from dubious download sources. Examples of malicious programs designed to spread other software of this type include Tortoiseshell, Torpig, and Nymeria. Typically, people are unaware that their computers are infected with these programs.
Impact / Significant Attacks
In 2007, Neshta malware was used to launch a cyberattack against Estonia. The attack targeted Estonian government websites, banks, and media organizations. The attack caused widespread disruption and damage, and it is believed to have been carried out by Russia.
In 2015, Neshta malware was used to launch a cyberattack against Ukraine. The attack targeted Ukrainian government websites, banks, and media organizations. The attack caused widespread disruption and damage, and it is believed to have been carried out by Russia.
In 2017, Neshta malware was used to spread the WannaCry ransomware. WannaCry is a type of malware that encrypts a victim’s files and demands a ransom payment in order to decrypt them. The WannaCry attack infected over 200,000 computers in over 150 countries.
Indicators of Compromise (IoCs)
SHA256 Hashes
29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
539452719c057f59238e123c80a0a10a0b577c4d8af7a5447903955e6cf7aa3d
a4d0865565180988c3d9dbf5ce35b7c17bac6458ef234cfed82b4664116851f2
46200c11811058e6d1173a2279213d0b7ccde611590e427b3b28c0f684192d00
c965f9503353ecd6971466d32c1ad2083a5475ce64aadc0b99ac13e2d2c31b75
