Netwire

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Type
Trojan
Origin
ex-USSR territory
First seen
1 January, 2012
Last seen
3 December, 2021
Also known as
Recam
Global rank
22
Week rank
28
Month rank
25
IOCs
4588

What is Netwire RAT?

Netwire is a remote access trojan-type malware. A RAT is malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infected machines and can attack multiple systems, including Windows, Apple’s MacOS, and Linux.

Netwire malware is available for purchase on the darknet in the underground hacking communities, where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update that added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire RAT

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior, take screenshots, check system information, and create fake HTTP proxies.

The keylogger functionally allows Netwire to record various personal data imputed on a computer connected to the internet or a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, the Netwire trojan was used to target healthcare and banking businesses. The malware was also documented as being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire RAT creators have put in a lot of work to ensure that researchers have a hard time analyzing this malware, as many precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign, researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and start establishing persistence right away. The malware created a Windows shortcut in the Startup menu to ensure that the Netwire trojan would always run when the user logged into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject its code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire RAT malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail and works like a tutorial.

process graph of the Netwire execution Figure 1: Process graph generated by ANY.RUN allows visualizing the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire RAT execution process

Netwire isn't as exciting as some other malicious programs can be as far as malware execution goes. It makes its way into the device, mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is dropped or downloaded onto the machine. After that, the executable starts performing the main malicious activity such as writing itself in autorun, connecting to C2 servers, and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire RAT

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export Netwire data using ANY.RUN?

If analysts want to do additional work with events from tasks or share them with colleagues for tutorials, they can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu.

Export options for netwire malware Figure 3: Export options for netwire malware

Conclusion

Diverse information stealing feature sets combined with the ability to target multiple operating systems and steal data from credit cards used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire RAT have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, which allows to influence the simulation at any point and get much purer research results.

IOCs

IP addresses
3.134.125.175
194.5.98.48
193.161.193.99
18.189.106.45
3.131.207.170
192.169.69.26
3.142.81.166
91.109.182.11
3.13.191.225
79.134.225.103
3.17.7.232
79.134.225.119
3.22.30.40
192.169.69.25
91.109.176.10
194.5.97.23
3.14.182.203
184.75.221.59
194.5.98.5
79.141.168.109
Hashes
9f837bac5e79cbb41fc60e4c4439898e1269db6ba60531322531d187ef81896b
2d81d74a3b4c930ffbe472ad154acc01bc2312ded21aa30fe77bfcb20ee331f0
81d58cd2a4c65d0d40052e6c5adfe1fb3977710d6b09cc70d15549c16936f4b8
7b2046a98f7f06d33fa42e473ee16465340713c76e27dc3cdd883c42fe06ed2a
77256dbd8c0a417df262ad441056cc29c4ee5a70a9005b2fa4f32efbec768083
97c7b0acbb0d187d280e20cd3ac147295ea599462d57f0d56488cda19fcaf3ed
bb27152780a05c97727bc4cca7304d88a5a35119b8a64684d4ec0dc26b1b5e69
5d91391caa4520c281f6b5cab65914417fed0445d836067c7f70c77795417af6
849684689850c5c2966545101f9502544c2d69b71db493d3a6a8b30460d68e82
843c5f7a818681e3df212c80515cdce0bd56c6e178412736b8a22b15ebb35435
a34e8cdf31fe20a7b0f32b8ac1609c16ef1ad64c12a3ccfa7565074a19956bd8
aca9d80519688fa3a4778cdc1da7147d5ae01bd8452aaf6ad04620b953ccf66b
6b4401690cb0a07ee98ff3c5fc351b20c6e0a4ba7474c6ad858e5dc69a60b36f
7a43319c54992f8a04c06fa89c2dd0d67ebd3813c4ab1b47ccadebef819961ec
574b348f67921ce34f660afe2ff75d0538bd5ea203739a77479dba7f026f0476
2c512763d56b15d9fe7ee94debac42372987eb4db111e8910f5b002a90d03207
702a898f99fdcf56d29f5a9d4c54794c09880f7b000488a1f9f4c2259e520bee
9b09306cff5021ccd6df0da70b9cbc48f4266bc3a036306c71b58ef8a9a6008a
25cf559d1de914a23563ad710eb291840283e5e9963b3941e51799220cc09ea5
11084f0e466c6e14a898cd1e806dcfddc4ae3c7819a617c3d0a54490989ba559
Domains
top.intelprovidejordan.waw.pl
remcoss.onmypc.org
june247.ddns.net
sipex2021.ddns.net
poiarmex247.ddns.net
james12.ddns.net
adeboyeking.linkpc.net
adejokeking.linkpc.net
isns.net
majul.com
vcctggqm3t.dattolocal.net
analyst.spamcannibal.xyz
unknownsoft.duckdns.org
vemvemserver.duckdns.org
glorylnter.hopto.org
booking.msg.bluhotels.com
booking.msg.bluhotels.com
qxq.ddns.net
6.tcp.ngrok.io
2.tcp.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More