Netwire

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform a variety of actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux and MacOS.

Type
Trojan
Origin
ex-USSR territory
First seen
1 January, 2012
Last seen
18 January, 2020
Also known as
Recam
Global rank
16
Week rank
7
Month rank
12
IOCs
1327

What is Netwire RAT?

Netwire is a remote access trojan type malware. A RAT is a malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infect machines and can attack multiple systems including Windows, Apple’s MacOS, and Linux.

Netwire malware is available for purchase on the darknet in the underground hacking communities where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update which added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire RAT

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior as well as take screenshots, check system information and create fake HTTP proxies.

The keylogger functionally allows Netwire to record a variety of personal data that is imputed on a computer connected to the internet or to a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, Netwire trojan was used to target healthcare and banking businesses. The malware was also documented being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire RAT creators have put in a lot of work into ensuring that researchers have a hard time analyzing this malware, as a lot of precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and proceed to start establishing persistence right away. The malware created a Windows shortcut in the Startup menu, to make sure that Netwire trojan would always run when the user would log into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject it’s code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire RAT malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail.

process graph of the netwire execution Figure 1: Process graph generated by ANY.RUN allows to visualize the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire RAT execution process

As far as malware execution goes, Netwire isn't as exciting as some other malicious programs can be. It makes its way into the device mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is being dropped or downloaded onto the machine. After that, the executable start performing the main malicious activity such as writing itself in autorun, connecting to C2 servers and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire RAT

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros in order for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export Netwire data using ANY.RUN?

If analysts want to do additional work with events from tasks or just want to share them with colleagues thay can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu.

Export options for netwire malware Figure 3: Export options for netwire malware

Conclusion

Diverse information stealing feature set combined with the ability to target multiple operating systems and steal data from credit cards which are being used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire RAT have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, that allow to influence the simulation at any point and get much purer research results.

IOCs

IP addresses
185.244.30.244
192.169.69.25
79.134.225.121
79.134.225.120
154.16.93.172
79.134.225.74
178.124.140.150
118.113.186.171
188.202.215.89
181.170.124.235
20.183.12.215
174.224.201.71
193.161.193.99
185.244.30.4
79.134.225.90
86.240.108.76
194.5.99.220
185.165.153.55
185.244.30.74
91.189.180.199
Hashes
f376d69768f83043f12cfbe38af2ac0871573afc321bbb9a7915d86f9a9d6ec6
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5
82eb44301f1d3c1d5afe44717099400fccc4f537709332479a09e8c5b6df1ad4
1f0ccd21ef5030478faa5ed13abd7c19fcafa5c85daca682931e7f7af1f5b5cb
f9a2e0e6af9dac53bc4a8181f07c2f1ae533f3b5db7134f4cdbd79b88d9323f3
9427f46c3fb4feeff13ba6619d5de54854daee80ae2033aaa022edb119e7433f
da11c78f51885963f3260a5e75fa8ff4abcbd3c680d5b70efed06487c2ba03c2
d381c5a5eeb46759bb5ebce67eb50cc61f91a75c204d6ec1c7750937f7f4c3f1
c3b527573c3d3d74571ec8fb53c52f38825d31e83581997cb11b63d63671c6b6
375aa03c802f460e29078467986d10b4770b21e92550c3fa7fad21e96e90e6ab
dd0d3521e0da8cce930cf79681d96e7d7635ec2e6c9a4207f5d6f4cd1d4c5715
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
48155b9a8a1fe00a521594415143e82f689a7293efcdf202b17f13c601312dad
db2b1fe12b191c46f95cde018475e8810121346f6e599fe27b5fca73b7f234e9
f6cdb46c961cd0229be8beb20f533c6c2a3389ad26b65003724179679b4d0a1f
17acc8ace259cb45dc904012723c19fe2e1386b0ca0cecc1bb8f6f2dcadd04c1
1d23511aeb0e79e63ec6873f0974373c88fb66ce7aa6c5ddfb5f035169b52119
c1c7442a04c7192adf200d9aa31c08c435177c3260563c694e4dc27329619ffe
c7a9047e0114a870911a3a22f9965109c078659f9c5929af7459781d6c598085
0be468a6255ff1c56469ebbec0cca0f17d7b8692010e2e23969fe451c70aab66
Domains
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
siri1234.duckdns.org
vemvemserver.duckdns.org
duckdns4.duckdns.org
salesxpert.duckdns.org
ipvhosted.duckdns.org
gemalto.duckdns.org
bproduction.duckdns.org
jfcolombia001.duckdns.org
office365update.duckdns.org
kosovo.duckdns.org
codazzixtrem.duckdns.org
mrmarkangel.duckdns.org
anglekeys.duckdns.org
dephantomz.duckdns.org
wiskiriskis1982.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More