Netwire

Netwire is a remote access trojan type malware. A RAT is a malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infect machines and can attack multiple systems including Windows, Apple’s MacOS, and Linux.

  • Type
    Trojan
  • Origin
    ex-USSR territory
  • First seen
    1 January, 2012
  • Last seen
    21 November, 2019
Global rank
16
Week rank
13
Month rank
10
IOCs
1016

What is Netwire malware?

Netwire is a remote access trojan type malware. A RAT is a malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infect machines and can attack multiple systems including Windows, Apple’s MacOS, and Linux.

Netwire is available for purchase on the darknet in the underground hacking communities where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update which added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior as well as take screenshots, check system information and create fake HTTP proxies.

The keylogger functionally allows Netwire to record a variety of personal data that is imputed on a computer connected to the internet or to a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, Netwire was used to target healthcare and banking businesses. The malware was also documented being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire creators have put in a lot of work into ensuring that researchers have a hard time analyzing this malware, as a lot of precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and proceed to start establishing persistence right away. The malware created a Windows shortcut in the Startup menu, to make sure that Netwire would always run when the user would log into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject it’s code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail.

process graph of the netwire execution Figure 1: Process graph generated by ANY.RUN allows to visualize the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire execution process

As far as malware execution goes, Netwire isn't as exciting as some other malicious programs can be. It makes its way into the device mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is being dropped or downloaded onto the machine. After that, the executable start performing the main malicious activity such as writing itself in autorun, connecting to C2 servers and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros in order for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export data from the analysis of Netwire malware using ANY.RUN?

If analysts want to do additional work with events from tasks or just want to share them with colleagues thay can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu.

Export options for netwire malware Figure 3: Export options for netwire malware

Conclusion

Diverse information stealing feature set combined with the ability to target multiple operating systems and steal data from credit cards which are being used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, that allow to influence the simulation at any point and get much purer research results.

IOCs

IP addresses
174.127.99.230
192.169.69.25
79.134.225.93
185.140.53.54
79.134.225.89
79.134.225.79
185.19.85.153
79.134.225.85
185.165.153.84
79.134.225.121
79.134.225.116
79.134.225.105
91.193.75.66
185.84.181.102
79.134.225.73
185.217.1.186
79.134.225.74
91.193.75.153
79.134.225.35
79.134.225.11
Hashes
5c13440713c43f5b77bd6cab23ced939b1db989722274f4acc8e07bc42c61fb8
1d08634403b769dc6c9f77aee26fc3681d67b1be7d2ace114772ba426778553c
5b0f8200ae019f24bea47f4aaf6b2ab8e5cb5078878235e23fab3e491de4ba53
863f9e608961a3a31a4c8ee2e79d0782e848b8533399c191a0e459cf6387b688
7b602eb7dc616d43a9a0822683fcbe91aa5b592afd29f76a31d86e12b1a5b36c
3d5fa991d6061120b0985e3c2fff1534bf1564f2c552276f247daee15322a315
0c6bcbd46490f11707d9f55d827c1e620195d21eaed15c0de9d5c8c42d7a1f70
493d862afb433a1258957b0d9777f9d70fb7fa833cd4a1593c76f81689efc91e
a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b
7a15d520d010d949d771d4e715a91dccb2147abbfc9c12ae1f5b502cf964d381
decafa8638d20afb276ea75470020e58ea37075f7a2f027bb7498a6a5e30f8de
6084cb49cd0dbafa4bba31f72fc1e5c9cc704490f72faf435c82cf27c291a028
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
9e0d19b6ddfce89c11868bd8afdcfb53fa8d8c7c17623d25d04065aac411b521
09b0f5648c8f71f6d51995e769f2cc85bc997ed5b95bf373fcc8bea12dfbcd11
5a44280ac5e2f55bf63e4b569b1487ee8ac710b444da6824f1d066b76ef803af
d051da14f4b154c7d57c835f814b4c7515bad9190ec427bc8feb156b103e7ad1
4802a2175df77b6243ebdb629d5a2cce373c8d8f4d1e2243e27cca9c6b59a1a8
24f422156773e46ec547de2e25fcd8c48274ad32a9a3ef02ebcea9d265c22d31
1567fa04b585cb3a18012a0b3aba2bb3013bdd2e5763ecfcc0055236d2a69752
Domains
iphanyi.ddns.net
majul.com
mstanley.ufcfan.org
fucktoto.duckdns.org
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
homi.doomdns.org
duckdns4.duckdns.org
salesxpert.duckdns.org
ipvhosted.duckdns.org
gemalto.duckdns.org
jfcolombia001.duckdns.org
office365update.duckdns.org
kosovo.duckdns.org
codazzixtrem.duckdns.org
mrmarkangel.duckdns.org
anglekeys.duckdns.org
dephantomz.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More