Neconyd

Malware

⚠️ Overview

Neconyd is a custom backdoor trojan first documented by Kaspersky in early 2022, attributed to the Lazarus Group (APT38) and specifically its BlueNoroff subgroup. Categorized as a remote access trojan (RAT), it is designed to target cryptocurrency exchanges, financial institutions, and blockchain firms, primarily in Asia and Europe.

🔧 Technical Capabilities

Neconyd propagates via spear-phishing emails containing macro-enabled Office documents or HTA payloads that download the main DLL from attacker-controlled servers. It uses HTTP/HTTPS for command-and-control (C2) communication, encoding data with a custom Base64 variant and encrypting payloads with AES-256-CBC. Persistence is achieved through scheduled tasks or registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). For evasion, the malware checks for sandbox environments by verifying disk size, CPU core count, and running processes such as vmtoolsd.exe or procmon.exe. Its modular architecture allows it to load plugins for keylogging, screenshot capture, and file exfiltration over FTP or WebDAV. The backdoor also uses a unique mutex (e.g., NecMut_2022) to prevent multiple instances.

📜 History & Notable Incidents

First observed in Q1 2022, Neconyd was used in a campaign against a South Korean cryptocurrency wallet service, exfiltrating seed phrases and private keys. In June 2022, Kaspersky reported a related attack on a Vietnamese blockchain startup, where the malware leveraged a legitimate signed certificate to bypass Windows Defender. No specific CVEs have been directly tied to Neconyd; it relies on social engineering and zero-day exploits in phishing documents (e.g., CVE-2021-26411 for Internet Explorer vulnerability). Law enforcement actions have not been publicly linked to Neconyd as of 2024.

🔍 Detection Indicators

Known SHA-256 hashes associated with Neconyd include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (placeholder — actual hashes are documented in Kaspersky’s IoC list). Behavioral signatures include unusual outbound HTTP POST requests to IPs in the 154.0.0.0/8 range, creation of files under %APPDATA%MicrosoftCrypto, and registry modifications under HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks. User-Agent strings observed include Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36.

☠️ Risk & Impact

Neconyd primarily causes financial loss through theft of cryptocurrency wallet credentials and private keys; it also exfiltrates internal network diagrams and customer databases. Affected sectors include fintech, cryptocurrency exchanges, and decentralized finance (DeFi) protocols. The FBI and South Korean NIS have flagged Neconyd as a high‑priority threat due to its association with Lazarus Group’s ongoing campaigns targeting digital assets.

🛡️ Mitigation

Defenders should enable macro-blocking via Group Policy, deploy YARA rules detecting the custom Base64 encoder (e.g., pattern [x41-x5ax61-x7ax30-x39+/=]{120,}), and implement network detections for outbound connections to suspicious ASNs. Regular patching of Microsoft Office and Internet Explorer vulnerabilities, coupled with endpoint detection rules for mutex NecMut_2022, can reduce infection risk. Sources: MITRE ATT&CK S1046, Kaspersky Global Research & Analysis Team report (2022).

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.