Netwire

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Type
Trojan
Origin
ex-USSR territory
First seen
1 January, 2012
Last seen
15 September, 2021
Also known as
Recam
Global rank
21
Week rank
15
Month rank
18
IOCs
4463

What is Netwire RAT?

Netwire is a remote access trojan-type malware. A RAT is malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infected machines and can attack multiple systems, including Windows, Apple’s MacOS, and Linux.

Netwire malware is available for purchase on the darknet in the underground hacking communities, where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update that added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire RAT

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior, take screenshots, check system information, and create fake HTTP proxies.

The keylogger functionally allows Netwire to record various personal data imputed on a computer connected to the internet or a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, the Netwire trojan was used to target healthcare and banking businesses. The malware was also documented as being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire RAT creators have put in a lot of work to ensure that researchers have a hard time analyzing this malware, as many precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign, researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and start establishing persistence right away. The malware created a Windows shortcut in the Startup menu to ensure that the Netwire trojan would always run when the user logged into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject its code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire RAT malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail and works like a tutorial.

process graph of the Netwire execution Figure 1: Process graph generated by ANY.RUN allows visualizing the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire RAT execution process

Netwire isn't as exciting as some other malicious programs can be as far as malware execution goes. It makes its way into the device, mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is dropped or downloaded onto the machine. After that, the executable starts performing the main malicious activity such as writing itself in autorun, connecting to C2 servers, and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire RAT

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export Netwire data using ANY.RUN?

If analysts want to do additional work with events from tasks or share them with colleagues for tutorials, they can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu.

Export options for netwire malware Figure 3: Export options for netwire malware

Conclusion

Diverse information stealing feature sets combined with the ability to target multiple operating systems and steal data from credit cards used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire RAT have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, which allows to influence the simulation at any point and get much purer research results.

IOCs

IP addresses
192.169.69.26
79.134.225.85
3.131.207.170
193.161.193.99
192.169.69.25
3.13.191.225
3.142.81.166
193.187.91.115
3.134.125.175
185.140.53.230
3.22.30.40
3.17.7.232
3.14.182.203
79.134.225.77
185.19.85.153
79.134.225.7
176.107.178.179
185.157.162.241
18.189.106.45
185.19.85.181
Hashes
092e7c3730ffc7247c77edb1386dc02568620d81b74f8b5f4c13a681e6cd087b
0257c2dba216209d6c9ad6e6096755efc9b4961018ebdceae8c931cdb62a650c
5a492950f02801cc683a3d8cf64c6036974f2971a15d66ca1879a351ca889276
3f83f7c5d39b7f7888fce8557c3d2e8fd8054455f8fdadbd907da77144bd9b05
43f12717188420f2f146f2532fb245ab7b00d099bd26b6301f7f8cd0a71ef6f7
782728dd966936117bb0a8b9d8cc1f3946c3a428550f9d1b7e19eccdc091b991
91acdc04a03134c17ccff873f10e90c538ed74c7ab970b9899ac5c295e165a75
2cc26f492feded508b95b934e98fac19fb073f24d20bb647c064d06baa7ce070
e9d7fd19d9cf87858ef8bcedf7ac72f198f4847fb2df7112e2be20a0e609d0b2
8280ae0f658012a4fad6f3d1371818e8667488ea20af33549746e291d103c841
4c01cc3dd96c524054207f6b37a334c62549857f28c0286cc8dfc30b6d388e34
e502fcf4ae5b5af00d0d58b55295cff685f473f8d57e750bfde618161d3ba006
11084f0e466c6e14a898cd1e806dcfddc4ae3c7819a617c3d0a54490989ba559
1a00092e00ec3902038b0ead2b083c686503b33d0bdaa50e669dcf03763143fa
e4d007cf2d939943729981593107d2495ac5291b9434ce51ae8cb5134d05e646
e4b66d8eccf8e0ec2f33afb880b23e1a5dc131028bf91a4c5cbbbd883331fa65
25cf559d1de914a23563ad710eb291840283e5e9963b3941e51799220cc09ea5
7c12a820fd7e576f3a179cdccaefbfcd090e0f890fccfab7615bc294795dc244
aaf67f1462f91b3f9a2a2e06a0dd184da4575373a4ad03479e04b2fa975f4f1a
62fad464154b7411f1e5b993edafd111638f2b0770ffe1f6cfc166ae6b8404d9
Domains
2.tcp.ngrok.io
www.petsfan.com
qxq.ddns.net
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
8.tcp.ngrok.io
6.tcp.ngrok.io
isns.net
3.tcp.ngrok.io
192-168-100-87.abcdefghijklmnopqrstuvwxyz012345.plex.direct
vilvaraj-32652.portmap.io
PartyBit-49075.portmap.host
bigshazza-20890.portmap.io
ziperd-48946.portmap.io
kubar-44613.portmap.io
zoroark-51867.portmap.host
DarlingSH-37506.portmap.host
jorankh-31689.portmap.host
jorankh-34614.portmap.host
toxete5095-30806.portmap.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More