Netwire

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Type
Trojan
Origin
ex-USSR territory
First seen
1 January, 2012
Last seen
21 May, 2022
Also known as
Recam
Global rank
21
Week rank
16
Month rank
13
IOCs
6217

What is Netwire RAT?

Netwire is a remote access trojan-type malware. A RAT is malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infected machines and can attack multiple systems, including Windows, Apple’s MacOS, and Linux.

Netwire malware is available for purchase on the darknet in the underground hacking communities, where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update that added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire RAT

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior, take screenshots, check system information, and create fake HTTP proxies.

The keylogger functionally allows Netwire to record various personal data imputed on a computer connected to the internet or a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, the Netwire trojan was used to target healthcare and banking businesses. The malware was also documented as being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire RAT creators have put in a lot of work to ensure that researchers have a hard time analyzing this malware, as many precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign, researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and start establishing persistence right away. The malware created a Windows shortcut in the Startup menu to ensure that the Netwire trojan would always run when the user logged into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject its code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire RAT malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail and works like a tutorial.

process graph of the Netwire execution Figure 1: Process graph generated by ANY.RUN allows visualizing the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire RAT execution process

Netwire isn't as exciting as some other malicious programs can be as far as malware execution goes. It makes its way into the device, mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is dropped or downloaded onto the machine. After that, the executable starts performing the main malicious activity such as writing itself in autorun, connecting to C2 servers, and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire RAT

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export Netwire data using ANY.RUN?

If analysts want to do additional work with events from tasks or share them with colleagues for tutorials, they can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu. Export of any kind of malware research is available including Predator the Thief or Qbot.

Export options for netwire malware Figure 3: Export options for netwire malware

Conclusion

Diverse information stealing feature sets combined with the ability to target multiple operating systems and steal data from credit cards used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire RAT have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, which allows to influence the simulation at any point and get much purer research results.

IOCs

IP addresses
198.44.237.131
192.169.69.26
192.169.69.25
3.13.191.225
52.28.112.211
3.22.30.40
194.5.98.140
18.189.106.45
3.140.223.7
147.185.221.212
71.81.62.106
3.17.7.232
193.161.193.99
23.105.131.227
3.134.125.175
3.14.182.203
51.161.104.138
3.126.37.18
79.134.225.90
3.142.81.166
Hashes
2e2472ca9ff77b5bca5383f823f2c6c883eee37877b12982f8638b11d7fbaad8
ab50301ca528c2cee1ed6d8ea39ceed66548cc2f8418d6487573c418dbf1a824
afb9778d1dcf50fb3d261d6a6fdcc8c54292f61227dbff72a8da92d966d811dd
2fc2a1ccf2a2f7e0156f9a53d66705092579d71a546a733feb0a3d421fb9e641
b5d96ca45147cbfd601f93198aceff85cbc3c95a3acab2ff50d3b6e95220c52a
16bc7a5b3046f64260b9b5cb075d9397e35e9e553ff7b82ca0647ec8bf7a50e7
ef5cfeccbda77d4359ae561e9a56442f4d437f07d565c5d7d519614aed56e1f6
574c244bd70bb4e3d3747f4f85e907c6a2472848ec7fc39f89ab35e80113fd14
f878970abe3d4b96ec6029bd08301dd8119cb0b1e105a5330b54862bc1e71b0a
708a90c4f7fb24fd4218e156ea9063c4212a90ffa5b1237626c0912197741f01
762c6142714e0fc189c61a31b7740a7bd4be1926a3c553a5dc3a807a70bd8d0a
087d7a59cd5a14848767dd04cfa15e7bcca0318c36c5681d4ee7f57082571611
a1f353d7b9b7cb667b7b6f9352c773b8a19c6f40f78be9e4b6ab4fc50c4497ec
1a3bbf6f2abfa4dc657a51eedf5fa2d6cef29c9461520990deb36b97614eb2cf
4c7ce63cd966e72e5d94f6dc8b0f82cec35b88b1a8d24305c52a7106cdad5ad9
d6819264b5b21ac60237b3625ae895f8adbdcd46550d1c7cce869d76bf462e50
e18028ec3cc96b8ebf3da315afccbaf914bc43b2798d5c5bcbcdb618221a5a4c
78342a7096041e2d9388caea966829a8fef75ddf8041c167c94e68711b736eb3
547adc35275e668c0b99761d8d5fb721fcb689d4575b5e4236936411c3b7d6eb
954f5e5d737d2af5ee509c5661dbb95819261eb90d7131f1fde9c3c798bb5d5d
Domains
s2awscloudupdates.com
googleapis2.duckdns.org
2.tcp.ngrok.io
WindowsAuthentication324-49629.portmap.host
booking.msg.bluhotels.com
booking.msg.bluhotels.com
majul.com
devb0t.duckdns.org
convenant.duckdns.org
usa11.duckdns.org
ziaurus111.duckdns.org
windows108.duckdns.org
nips3.duckdns.org
germanybak.duckdns.org
de.uvlocals.com
bnet.thehookupbysteph.com
oficnea.duckdns.org
www.u5rfrtftyw45.duckdns.org
www.u5rfrtftyw45.duckdns.org
u5rfrtftyw45.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More