Netwire

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform a variety of actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux and MacOS.

Type
Trojan
Origin
ex-USSR territory
First seen
1 January, 2012
Last seen
19 October, 2020
Also known as
Recam
Global rank
17
Week rank
15
Month rank
11
IOCs
3548

What is Netwire RAT?

Netwire is a remote access trojan type malware. A RAT is a malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infect machines and can attack multiple systems including Windows, Apple’s MacOS, and Linux.

Netwire malware is available for purchase on the darknet in the underground hacking communities where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update that added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire RAT

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior as well as take screenshots, check system information and create fake HTTP proxies.

The keylogger functionally allows Netwire to record a variety of personal data that is imputed on a computer connected to the internet or to a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, Netwire trojan was used to target healthcare and banking businesses. The malware was also documented being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire RAT creators have put in a lot of work into ensuring that researchers have a hard time analyzing this malware, as a lot of precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and proceed to start establishing persistence right away. The malware created a Windows shortcut in the Startup menu, to make sure that Netwire trojan would always run when the user would log into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject it’s code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire RAT malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail.

process graph of the netwire execution Figure 1: Process graph generated by ANY.RUN allows to visualize the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire RAT execution process

As far as malware execution goes, Netwire isn't as exciting as some other malicious programs can be. It makes its way into the device mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is being dropped or downloaded onto the machine. After that, the executable start performing the main malicious activity such as writing itself in autorun, connecting to C2 servers and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire RAT

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros in order for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export Netwire data using ANY.RUN?

If analysts want to do additional work with events from tasks or just want to share them with colleagues they can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu.

Export options for netwire malware Figure 3: Export options for netwire malware

Conclusion

Diverse information stealing feature set combined with the ability to target multiple operating systems and steal data from credit cards which are being used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire RAT have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, that allow to influence the simulation at any point and get much purer research results.

IOCs

IP addresses
193.161.193.99
192.169.69.25
3.14.182.203
79.134.225.93
3.17.7.232
79.134.225.121
79.134.225.92
94.102.51.124
79.134.225.97
194.5.97.15
79.134.225.71
79.134.225.115
185.19.85.143
143.159.250.165
31.220.4.216
185.140.53.164
79.134.225.85
185.140.53.223
79.134.225.73
193.218.118.190
Hashes
fee39b9cfc4157d75b658a828e45398f945506e5dc6831a038fec1f38b75df0c
fcafbd4579ef27eeeea5b955b4c04f4bb74a64516e3cfd55e280bd7dd9d79750
31f5eb4bdbc0d219b3977b19ca2bea0f79e86830510fd22b495362725f179084
890e125983c62b01a6b902a85c63bc2aa1d442e7d4b7182b6b394ebd0aa7e679
0784e638fe04e5cd4775531aacae4a7e200e0748a49407def7044017ec5939e8
883a101623a8ff6b1020387137c8167db8d2713a5dd7f2085cafa54d890e227c
c666965389faf918f98705ec8c5f31e65b1c34cdb20153058d37051ee74d1d21
b11787ee6ede41292cdca61841d17f030b8a898f5a2821834d8b442a21dad464
d3d9e396bc72900027671064a0c94261275e8516b1fd76247dcd65b22307c484
64c5d20eca2b1220a0c5d1334a3a3fd76e9dbb2c5c1ebf63cf36917787796450
ea58e11a292557eb1f0fe266eb07bc184764c84f0a132893e4c67db230bb2b64
28ef8328a89164a75dde3a092d7c2abe96ca83f61798f56007b54fdca4b89560
bcedae657c70a944ca43452e1d5f78cbc1e2b57f469af5f5d122cdc6763c1bb6
89437154971b32b512686ffe2a6cf00883482d37d53479995b6434f1f4002088
8d5f8215665cbc1b148d1c92e14ff46be861cc1b3b25c93b87e7df163f4e614b
5d1379867d95e59ae042481699b17b32534ee113436392fae6a7b6b1559dc69c
7a4ba5f3966a58bcf8b77a80355525600237d589d3992bc65b4ad74d5d9ec1d3
1f6920e95bb00952656dcd45956dab83a318e8435babb1d20199859cb4b72997
1b0cd29f5fb379f720d4d4c7a2a12002a4e1e0ebf255c90a5efa92635b6072ae
81682049c6670f83d2b6b379ee48cc1b8c6f7f89724e2f1dcd7d0d4cc58cde2b
Domains
elx01.knas.systems
vilvaraj-32652.portmap.io
PartyBit-49075.portmap.host
bigshazza-20890.portmap.io
ziperd-48946.portmap.io
kubar-44613.portmap.io
zoroark-51867.portmap.host
DarlingSH-37506.portmap.host
jorankh-31689.portmap.host
jorankh-34614.portmap.host
toxete5095-30806.portmap.io
eclipseelisa7-25341.portmap.io
Mattrevwizard-43846.portmap.host
Kupcia-53901.portmap.io
Amazonsupport-58169.portmap.host
dovydas560-41641.portmap.io
ratergod-43995.portmap.host
167e-35300.portmap.io
mcnova10-32892.portmap.host
TonyChocolony-31151.portmap.host

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More