Trend Micro researchers have recently encountered a Negasteal (also known as Agent Tesla) variant that used hastebin for the fileless delivery of the Crysis (also known as Dharma) ransomware. This is the first time that we have observed Negasteal with a ransomware payload.
Only a few months ago, Deep Instinct published the first reported case of a Negasteal variant that used hastebin[.]com, a paste site for online content. Negasteal is a spyware trojan that was discovered in 2014. It offers its services in the form of paid subscriptions in cybercriminal underground forums, with its developers constantly making changes to improve its evasion tactics and remain relevant in their market.
The Crysis ransomware, meanwhile, is behind several high-profile attacks, with variants that continuously demonstrate different techniques. Similar to Negasteal, Dharma works on a ransomware-as-a-service (RaaS) model that makes it accessible for other cybercriminals to pay for.
Source: Trend Micro