Topline Takeaways
- Date: March 8, 2024
- Targeted Industry: Technology
- Relevant attacker information:
- Neshta / Neshuta malware
- Use of trojans
- Relevant client systems:
- Blackpoint SOC actions:
- Proactive isolation of infected device
- Client outreach with additional remediation advice
- Why this matters: The APG predicts that threat actors will continue using trojans masquerading as legitimate software throughout 2024, with similar attack patterns for malvertising and SEO poisoning also becoming more common.
- Recommended remediations and mitigations:
- Application whitelisting
- Endpoint and environment audits
- Heuristics-based network monitoring
What happened?
Last Friday, the Blackpoint SOC was alerted by MS Defender to the trojan process “sfvip player.exe” on the host of a client in the technology vertical. Upon further investigation, SOC analysts identified successful process execution and active network connections to foreign IP addresses.
Our SOC analysts isolated the device and contacted the impacted client to provide additional information and mitigations.
What was the “sfvip player.exe” process?
In researching the “sfvip player.exe” process involved in this incident, the APG found that a similar file name “sfvip_player.exe” was previously identified as the Neshta (also known as “Neshuta”) malware.
Thus, it is likely that the malicious process carried out by the SFVIP Player trojan during this incident was the Neshta malware, or some variant thereof.
Note that while 35 out of 73 security vendors on VirusTotal identified the “sfvip player.exe” process in our incident as malicious, this majority categorized it as a “generic trojan,” rather than a specific carrier of Neshta malware.
What is Neshta malware?
Neshta (or Neshuta) malware is a file infector virus that specifically targets executable files and collects data on users and the overall compromised system.
While Neshta malware has been in use since 2003 for a wide variety of threat-specific use cases, in 2021, Neshta was part of the Avaddon group’s Ransomware-as-a-Service (RaaS) package during a successfully infection of a Mexican company.
How often will the SFVIP Player trojan for Neshta malware be used by threat actors in 2024?
Threat actors are often observed masquerading their malware as executables as a method to evade detection and successfully infect a victim network.
For example, consider the malicious file name “sfvip player.exe” in this incident.
SFVIP Player is a legitimate software, designed to provide users with a seamless playback experience. If an unsuspecting end user or SOC analyst saw that file name in their logs or directory files – so close to that of a legitimate software process – then there’s a high chance that they would believe any alerts around it were false, delaying response time or even going completely undetected until it would be too late.
(This file name masquerade is the same strategic move employed by threat actors leveraging malvertising and SEO poisoning techniques for initial intrusion and malware deployments, among other use cases.)
The APG predicts that threat actors will likely continue to masquerade trojans as legitimate executable files over the next 12 months.
Recommended SFVIP Player Trojan and Neshta Malware Recommendations
Especially for the SFVIP Player trojan and Neshta malware, the Blackpoint SOC recommends that organizations:
- Implement application whitelisting to help restrict unauthorized program execution, particularly with peripheral applications and software that may not be directly used for organization work but might be useful.
- Had the organization either approved the official SFVIP Player process (and no others) for use on endpoints – or outright blacklisted all secondary audio playback apps – the suspected Neshta malware could not have run even as far as it had.
- Employ heuristics-based monitoring of network activity to identify threats primarily based on what they do, instead of what they upload.
- While this specific process was flagged as “generic malware” by most security vendors, it could have been missed by more literal tools, since the file name wasn’t exactly the same as previously identified Neshta malware.
- Conduct regular environment and endpoint audits to identify weak points, apply necessary patching requirements, and close potential infection paths.
- Check for the SFVIP Player malware executable on your network, with binary name:
- C:\Users\$username\Desktop\SFVIP-Player-x64\sfvip player.exe