|Additional Names||Win32:Crypt-SKC [Trj] (Avast), Win32.Neshta.A (BitDefender), Virus.Win32.Neshta.a (Kaspersky)|
|Type of Malware||File Infector|
|Location – Country of Origin||Europe|
|Date of initial activity||2010|
|Associated Groups||BlackEnergy, Sandworm, Sofacy|
|Motivation||Neshta uses infected files to collect various system information relating to the operating system, hardware, and installed software. Collected data is then sent to a remote server and criminals can easily use it to generate revenue in malicious ways, thereby causing a variety of privacy issues.|
|Attack Vectors||Email, Downloads, USB drives, Network shares, Malvertising|
Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltarates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.
Mainly used to attack companies that specialize in finance, consumer goods, and energy. It is also used to attack the manufacturing industry.
Tools/ Techniques Used
Cyber criminals distribute this malware through other malware or infected files that people download from dubious download sources. Examples of malicious programs designed to spread other software of this type include Tortoiseshell, Torpig, and Nymeria. Typically, people are unaware that their computers are infected with these programs.
Impact / Significant Attacks
In 2007, Neshta malware was used to launch a cyberattack against Estonia. The attack targeted Estonian government websites, banks, and media organizations. The attack caused widespread disruption and damage, and it is believed to have been carried out by Russia.
In 2015, Neshta malware was used to launch a cyberattack against Ukraine. The attack targeted Ukrainian government websites, banks, and media organizations. The attack caused widespread disruption and damage, and it is believed to have been carried out by Russia.
In 2017, Neshta malware was used to spread the WannaCry ransomware. WannaCry is a type of malware that encrypts a victim’s files and demands a ransom payment in order to decrypt them. The WannaCry attack infected over 200,000 computers in over 150 countries.
Indicators of Compromise (IoCs)