Netwire

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform a variety of actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux and MacOS.

Type
Trojan
Origin
ex-USSR territory
First seen
1 January, 2012
Last seen
12 July, 2020
Also known as
Recam
Global rank
17
Week rank
11
Month rank
11
IOCs
2995

What is Netwire RAT?

Netwire is a remote access trojan type malware. A RAT is a malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infect machines and can attack multiple systems including Windows, Apple’s MacOS, and Linux.

Netwire malware is available for purchase on the darknet in the underground hacking communities where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update that added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire RAT

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior as well as take screenshots, check system information and create fake HTTP proxies.

The keylogger functionally allows Netwire to record a variety of personal data that is imputed on a computer connected to the internet or to a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, Netwire trojan was used to target healthcare and banking businesses. The malware was also documented being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire RAT creators have put in a lot of work into ensuring that researchers have a hard time analyzing this malware, as a lot of precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and proceed to start establishing persistence right away. The malware created a Windows shortcut in the Startup menu, to make sure that Netwire trojan would always run when the user would log into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject it’s code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire RAT malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail.

process graph of the netwire execution Figure 1: Process graph generated by ANY.RUN allows to visualize the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire RAT execution process

As far as malware execution goes, Netwire isn't as exciting as some other malicious programs can be. It makes its way into the device mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is being dropped or downloaded onto the machine. After that, the executable start performing the main malicious activity such as writing itself in autorun, connecting to C2 servers and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire RAT

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros in order for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export Netwire data using ANY.RUN?

If analysts want to do additional work with events from tasks or just want to share them with colleagues they can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu.

Export options for netwire malware Figure 3: Export options for netwire malware

Conclusion

Diverse information stealing feature set combined with the ability to target multiple operating systems and steal data from credit cards which are being used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire RAT have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, that allow to influence the simulation at any point and get much purer research results.

IOCs

IP addresses
109.169.89.116
193.161.193.99
192.169.69.25
79.134.225.49
194.5.97.55
185.140.53.6
194.5.97.88
185.140.53.54
79.134.225.122
79.134.225.122
188.165.231.79
79.134.225.85
79.134.225.43
102.157.245.251
37.223.208.94
194.5.97.23
79.134.225.119
185.244.30.16
91.193.75.137
79.134.225.84
Hashes
523e3d1fda9eb37098ae774b20f87e5552c5f38228dcf311298caf4bc5c2d086
2af15c499a2aa3dd7865fe9ce7fa8b4f38fdf2e65b32a6082d43bf0001073775
f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b
0f0322c44c393d5c125628af2cbc849cfd3f801ef9d4d20a9b740c04b1790967
de5c2d4af60466716124c4020f90b7b0aba44d3fc87a0cf5d039453a3b17ab37
88dd3b2c467d2b79d65fead83628c4d71abd595bb28a186936d1785d652e7b2a
be63cc77165fda170645c340140741202f7265132c12ed2da4489319f56d3a88
28c5d025c5fecc84ad805928196165d3ecab2a197f9f3df5e06f4388ce1337fa
c53bb7c67834bf15a10b577acea646a09ce3b280832147afe9930e515465e075
69b37face225a3bfbe87853c457b291f8f5f119f530d4936360130add57de5b3
4e53bd81fd15220f8be50f3504bbcef5ce662c8ecd938b35a093883090fe0af2
d9354b3874ed156872ec32761d65a1d3fbdcff6504884088f91f4b2bf0210814
9ca4654196219da2643e43825870f88fa796ecdc313bc3c00153631bd377e18b
dbc5ce3caf135f9257df0e5cab485ab41435bcc9a63077cfebaa3b464a4ae523
54cd2f165cdc6bc4fcc50fce8da1206b5c1bfedb442d2a000e965019d379a719
0507358f49b8a181b954f10753608d9cf61ec33ea585f7198345ec4dc927d544
f697b6ee9a2b5925b64fa4028f54e72f5219babd6f819a761b173b319069f06e
cdb81c63c05c1850a79a3441001e9f007fea5851a06090da724c8fe924204e93
ca0981bea4704bc3fe30bd2fcc6c6a8961efac8b68dbaf10f9f35174d65f91ab
e57de6eca2988736f0c9324e90427ae63840951724a1da6c6f35cd301fd919ff
Domains
graceandfavorandlove.duckdns.org
isns.net
server18041.hopto.org
sugardaddy-31192.portmap.host
la-50182.portmap.host
kingmac1-45647.portmap.host
KingMac1-45647.portmap.host
gamersploit-63961.portmap.io
MegaOof-56159.portmap.io
MegaOof-28211.portmap.host
georgemichael11119-33344.portmap.host
adamsafe-23839.portmap.io
Newbiesx-25518.portmap.host
EMpire0213-30527.portmap.io
Slxthy23rf-58263.portmap.io
Slxthy23rf-59933.portmap.io
Healingblossom-28321.portmap.host
VASCO-42208.portmap.host
markfish1001-26333.portmap.host
nickman12-46565.portmap.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More