Netwire

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Type
Trojan
Origin
ex-USSR territory
First seen
1 January, 2012
Last seen
26 January, 2023
Also known as
Recam
Global rank
22
Week rank
18
Month rank
21
IOCs
6854

What is Netwire RAT?

Netwire is a remote access trojan-type malware. A RAT is malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infected machines and can attack multiple systems, including Windows, Apple’s MacOS, and Linux.

Netwire malware is available for purchase on the darknet in the underground hacking communities, where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update that added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire RAT

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior, take screenshots, check system information, and create fake HTTP proxies.

The keylogger functionally allows Netwire to record various personal data imputed on a computer connected to the internet or a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, the Netwire trojan was used to target healthcare and banking businesses. The malware was also documented as being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire RAT creators have put in a lot of work to ensure that researchers have a hard time analyzing this malware, as many precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign, researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and start establishing persistence right away. The malware created a Windows shortcut in the Startup menu to ensure that the Netwire trojan would always run when the user logged into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject its code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire RAT malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail and works like a tutorial.

process graph of the Netwire execution Figure 1: Process graph generated by ANY.RUN allows visualizing the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire RAT execution process

Netwire isn't as exciting as some other malicious programs can be as far as malware execution goes. It makes its way into the device, mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is dropped or downloaded onto the machine. After that, the executable starts performing the main malicious activity such as writing itself in autorun, connecting to C2 servers, and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire RAT

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export Netwire data using ANY.RUN?

If analysts want to do additional work with events from tasks or share them with colleagues for tutorials, they can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu. Export of any kind of malware research is available including Predator the Thief or Qbot.

Export options for netwire malware Figure 3: Export options for netwire malware

Conclusion

Diverse information stealing feature sets combined with the ability to target multiple operating systems and steal data from credit cards used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire RAT have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, which allows to influence the simulation at any point and get much purer research results.

IOCs

IP addresses
94.237.28.110
194.5.98.48
185.183.98.166
185.222.57.164
194.5.98.188
185.140.53.252
194.147.140.4
87.66.106.20
71.81.62.106
31.41.244.150
154.118.25.216
79.134.225.28
104.168.148.85
185.140.53.61
79.134.225.10
185.140.53.183
45.137.22.101
213.152.161.133
46.246.86.7
51.15.19.32
Hashes
85e8c923778743576884ef91502873590a7d6ae7675c526fbad2418091685bc0
7a0c3008b65ed5033cc3663e9104ed7b39707c2a073ef3626549e0acd64f15f2
9a38991461288014473dd1d6de00238a69d14ff36bc5a555ac4d88479da1e0af
1f92665020b61a4a618d47e0b6db68913fcee90855a44a72927bea316d788db6
d1c250fd723d26b790ca019cad1cb159a6e95c0add5e57094e33252b53f04da6
2cc249a2be6c8f60714f21e8d0b4d4dc6cbda4cde7acfbfbfc1fca9e93778d84
749e161661290e8a2d190b1a66469744127bc25bf46e5d0c6f2e835f4b92db18
a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570
3e111c7b110c5cfa4f98f907adbb6ab0bce1e84b3fc74a045f580f0371ca66d7
93f28ae39fabf571a5d006c06e2c46b64a76bc46bcca3fdfa252b0fa4d38e147
26f3ec45fc6fe6c84d815288a447499ef507c6a8b0f3abc473bfbc69eaf20c49
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e
f0c72caa378310037f0d9cdc0d3eb14255f242b273a030a91b3f1540876865ab
5e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac
519eb78b493fdf7e14c057981753a580eb68557252246dd5b17003bfb47d32e3
145d6eebc06c82f3ea8ab4201e4544d3227c5fd0a6f4cbd5ffe7afd74991665f
05a24c45b68aa74bac30cbab19aac70070e9e63bbb029a2549fab91e0571664c
5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
702a898f99fdcf56d29f5a9d4c54794c09880f7b000488a1f9f4c2259e520bee
Domains
isns.net
vcctggqm3t.dattolocal.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
2.tcp.eu.ngrok.io
todspm3.duckdns.org
frederikkempe.com
majul.com
4.tcp.eu.ngrok.io
WindowsAuthentication324-49629.portmap.host
thuocnam.tk
krupskaya.com
m-onetrading-jp.com
elx01.knas.systems
whizzle456.duckdns.org
chommyflozy.duckdns.org
paris4real111.ddnsfree.com
behco.duckdns.org
mprentignac.ddns.net
mprentignac.freemyip.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy