Analysis of Netwire RAT

Beware of Neware RAT
Beware of Neware RAT

The NetWire RAT is malicious remote access trojan that emerged in the wild in 2012. This multi-platform malware was developed by World Wired Labs, and the program has since undergone several developmental upgrades. It is capable of infecting Windows, Linux, Mac OS operating systems. The malware developers have another program called PWNDROID released in mid-2020, for the Android platform. A company advertising the remote access tool frequently used by criminals and, nation-state threats may be serving as a front for Chinese hacking groups, according to new research published recently.

The PWNDROID Android malware type, which can be used to listen in on targets’ phone calls, capture audio, send and receive text messages, and track victims’ geolocation. Multiple groups with possible ties to the Chinese government, is thought to have used it, according to LMNTRIX CDC.

Recent APT attacks which leverage and drop the NetWire payload get distributed via social engineering e-mails. This Trojan (RAT) is mainly focused on password stealing and keylogging, as well as including remote control capabilities. Recently, NetWire has been distributed via Microsoft office documents and spreading their secondary payload attacks especially GuLoader campaigns.

Target OS: Windows, Linux, Mac OS

Motivation: Remote Access Tool & APT Campaigns

Threat Actors: APT33, The White Company & Silver Terrier groups potentially use the Netwire RAT.

Static Analysis

Sample: NetWire Remote Access Tool

SHA256: e4029ef5d391b9a380ed98a45f3e5a01eece6b7a1120ab17d6db0f8bb1309a47

Filetype: Portable Executable (EXE)

Common Anti-Debugging Methods Used

When the sample was loaded into Ollydbg, and we got the disassembly to start with, NetWire displayed the following error message. In addition to this error message, the malware uses NtWow64ReadVirtualMemory64 from NTDLL to query the PEB (process environment block), and a timing based check such as GetTickCount from Kernel32.DLL are used to thwart debugging.

 

Keylogger Functions

Based on the familiar CPP functions & a lot of functions being imported from MSVBVM60, MSVCRT and MSCOREE DLL files, we believe the developers may be using Microsoft VC++ and/or Delphi for NetWire RAT.

GetUserName, GetSecurityInfo, GetMonitorInfoA, GetLogonSessionData, and Key Press Events are monitored by the NetWire malware sample. A logged on user’s session data, encoded base 64 strings, key state, key press and keyboard events being monitored could hint at keylogging functionality.

After dumping the strings from our sample PE file, and decoding them with IDAPython, we can realize that the keylogger also records and sends login data from popular web browers such as Firefox, Chrome and Internet Explorer to the NetWire Admin Workstation. The NetWire keylogger module encodes the keystrokes logged after stealing credentials from the logged on user, prior to sending it to NetWire Admin Workstation. You can find a copy of the NetWire log decoder from GitHub.

Refer https://github.com/ArsenalRecon/NetWireLogDecoder

 

Payment Data Being Stolen

LMNTRIX CDC analysts discovered payment being collected for exfiltration by NetWire trojan while investigating the keylogger module further.

 

Remote Access Tool (RAT)

Netwire Developers from World Wired Labs have implemented the remote access tool functionality using a simple TCP Client-Server model with sockets.

Dynamic Analysis

Infection Chain

NetWire infects its victims using initial infection vectors of the mal-spam variety with e-mail attachment (EML). It contains a Microsoft Office (Excel) document with VBA macro enabled content. The malware tricks the user to enable the macros to perform malicious actions. Once the user enables the macro content, using Wscript file to drop a payload file in the %temp% folder, it then invokes a web-request and connects with the designated C2 server for further infection.

Sample Information

Technical Analysis of XLS

Once the user opens the attached document, there’s a fake Excel template displaying a message “Document created in earlier version of MS Excel” upon enabling the content, the victim now views the content. With the help of this malware the threat actor can trick the user to view the document, and infect them for further malicious actions.

Embedded Macro Content: Screenshot 1

Embedded Macro Content: Screenshot 2

VBA code in the screenshot (above) is obfuscated with random functions in order to hide the exact code. It’s one of the tricks used by the malware author. Macros is a programmable pattern which translates a certain sequence of input into a preset sequence of output. Macros can make tasks less repetitive automating a complicated sequence of keystrokes, mouse movements, commands, or other types of user input.

Macro-Enabled, Process Tree

Once the macros are enabled, using the Wscript shell to execute and drop the payload file in %temp% folder [ Actual, file will be BIN[.]exe].

Dropped VBS Script

Here the command is very straight forward, using the cmd[..]exe the malware connects to the malicious domain and drops the payload file in the Windows %temp% folder. The dropped vbs file gets executed in %temp% folder as well.

 

Dropped Payload file

Initial – Indicator of Compromises [IOC]

Once communicating with the malicious URL, it’s silently drops a .VBS script file in the %AppData% folder to perform further malicious actions.

 

Preventive Measures

  • Usage of anti-malware software such as antivirus or, any endpoint protection such as LMNTRIX EDR / EPP with updates.
  • Beware of e-mails from unknown contacts or, untrusted external sources.
  • Always make it a practice to scan attachments that you may find suspicious, especially when the e-mails are related to financial or delivery correspondence, documents, and URLs.
  • Use a strong password, preferably 16 to 18 characters, or more with a combination of alphabets, numbers and symbols.
  • We recommend using multi factor authentication for website login / passwords for all websites.

 

Indicators of Compromise to detect NetWire RAT

 

IP Addresses

94[[.]]237[[.]]28[[.]]110

194[[.]]5[[.]]98[[.]]48

185[[.]]183[[.]]98[[.]]166

185[[.]]222[[.]]57[[.]]164

194[[.]]5[[.]]98[[.]]188

171[[.]]22[[.]]30[[.]]21

185[[.]]140[[.]]53[[.]]252

194[[.]]147[[.]]140[[.]]4

87[[.]]66[[.]]106[[.]]20

71[[.]]81[[.]]62[[.]]106

31[[.]]41[[.]]244[[.]]150

154[[.]]118[[.]]25[[.]]216

79[[.]]134[[.]]225[[.]]28

104[[.]]168[[.]]148[[.]]85

185[[.]]140[[.]]53[[.]]61

79[[.]]134[[.]]225[[.]]10

185[[.]]140[[.]]53[[.]]183

184[[.]]75[[.]]221[[.]]171

45[[.]]137[[.]]22[[.]]101

213[[.]]152[[.]]161[[.]]133

185[.]29[.]9[.]11

 

Hashes

07336CC7355B9C4A1553A93D24EBB30A502053339E05FFB57476890D2967B6FC

2387DFD712B954C865BB4927F0628C54BF30B9A115B2383C2DFF63456885463A

F488FEAC7359DABA38B793855A5D2369404956892CA23DB7530DC04D77530490

F6226702EC3DED25EC5E0D7D1CBAAE386540E990857EC7604EC93284113B4897

0005A4FB06BB5CACCA4A89B372543A3EFFB0931AF26B0B17D8661B691B401811

E4029EF5D391B9A380ED98A45F3E5A01EECE6B7A1120AB17D6DB0F8BB1309A47

DCAC7C0A08250B164343C102EF9D863A49C44343C6CE3E0CD1197CB7E3198937

8F24221CAEF706D4502572968C0CF1317E632EBCB64157A5A1DAFBDDE7FC642C

1F8B6EBC0FBDB35C0B214652B69360C8DD78B569C9AF9C1B355DD11F277624E2

BC0A8E730EBBE66A98F6AA755671661158A982983898E45D306F79EC608250FE

50050A189F878A24B57ACEDF046ACFE5011DAE30F50A21054A75FCDA2947FF5B

459A609FFDE4325A1E55F7B9A788AB5CF978D3E07C54349B9F9E50F1E6875C89

F631EF4CE81B9A0984D44A9468DB2AE30CB37BDAD67AAEB43F53D50039D8C5AA

0CDC6A0C287876DBCFC14A93CAE8EB6FEB6938142814A9FB4E403F000D469CAB

3AFEECA8EE5FA67BF62BB84C10E02FE82032CBE034CCB4588708367FD5D66E8F

45CFB912F4CEED9DCF0EEE01F36A1C581A0E881301D73A2E1E459E48488B95BA

A21C8EF38B35EDA08AF936729863498EAD8F750DE997BC2D55FF9DA429872E33

848A8084A39B1BFA98C65B0E55BF91460B82470A3F9F5B31D7464C400A9DA355

637E17723EA88878915BA42095680EE5438C22A88A4538137B3174DD4E2E8C6A

4C01CC3DD96C524054207F6B37A334C62549857F

 

Domains

8ea1042a1912[[.]]ngrok[[.]]io

e0fb-34-121-202-111[[.]]ngrok[[.]]io

d61a2ce46962[[.]]ngrok[[.]]io

2d9076b51d13[[.]]ngrok[[.]]io

8ef628b4602c[[.]]ngrok[[.]]io

ebc79a7f69ed[[.]]ngrok[[.]]io

3a47ff971faf[[.]]ngrok[[.]]io

30fdb4c296af[[.]]ngrok[[.]]io

192913f09fa8[[.]]ngrok[[.]]io

52e0ff58833f[[.]]ngrok[[.]]io

ce47174fc1d2[[.]]ngrok[[.]]io

9ea2ac777bb9[[.]]ngrok[[.]]io

4651479e198f[[.]]ngrok[[.]]io

6856dac09e83[[.]]ngrok[[.]]io

0b1a1cdfc942[[.]]ngrok[[.]]io

c5040e5692cf[[.]]ngrok[[.]]io

e5d6f8fc0027[[.]]ngrok[[.]]io

jcole-lms[[.]]ngrok[[.]]io

877de57c5ace[[.]]ngrok[[.]]io

e5927c359c3c[[.]]ngrok[[.]]io

love82[.]duckdns[.]org

 

Registry Entry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\NetWire

HKEY_CURRENT_USER\Software\NetWire\HostId

 

MITRE ATT&CK Tactics & Techniques

IDTacticTechnique
TA0001Initial AccessT1566.001 – Spearphishing Attachment T1566.002 – Spearphishing Link
TA0002  ExecutionT1027 – Obfuscated Files or Information T1059.005 – Visual Basic T1204.002 – Malicious File
TA0003        PersistenceT1053.005 – Scheduled Task T1547.001 – Registry Run Keys / Startup Folder
TA0004Privilege EscalationT1053.005 – Scheduled Task
TA0005  Defense EvasionT1027.002 – Software Packing T1055 – Process Injection T1055.012 – Process Hollowing T1497.001 – System Checks
TA0006  Credential AccessT1003 – OS Credential Dumping T1110.001 – Password Guessing T1555.003 – Credentials from Web Browsers
TA0007DiscoveryT1016 – System Network Configuration Discovery
TA0011  C&C ServerT1071.001 – Web Protocols T1090 – Proxy T1090.002 – External Proxy
Tags: No tags

Comments are closed.