The NetWire RAT is malicious remote access trojan that emerged in the wild in 2012. This multi-platform malware was developed by World Wired Labs, and the program has since undergone several developmental upgrades. It is capable of infecting Windows, Linux, Mac OS operating systems. The malware developers have another program called PWNDROID released in mid-2020, for the Android platform. A company advertising the remote access tool frequently used by criminals and, nation-state threats may be serving as a front for Chinese hacking groups, according to new research published recently.
The PWNDROID Android malware type, which can be used to listen in on targets’ phone calls, capture audio, send and receive text messages, and track victims’ geolocation. Multiple groups with possible ties to the Chinese government, is thought to have used it, according to LMNTRIX CDC.
Recent APT attacks which leverage and drop the NetWire payload get distributed via social engineering e-mails. This Trojan (RAT) is mainly focused on password stealing and keylogging, as well as including remote control capabilities. Recently, NetWire has been distributed via Microsoft office documents and spreading their secondary payload attacks especially GuLoader campaigns.
Target OS: Windows, Linux, Mac OS
Motivation: Remote Access Tool & APT Campaigns
Threat Actors: APT33, The White Company & Silver Terrier groups potentially use the Netwire RAT.
Sample: NetWire Remote Access Tool
Filetype: Portable Executable (EXE)
Common Anti-Debugging Methods Used
When the sample was loaded into Ollydbg, and we got the disassembly to start with, NetWire displayed the following error message. In addition to this error message, the malware uses NtWow64ReadVirtualMemory64 from NTDLL to query the PEB (process environment block), and a timing based check such as GetTickCount from Kernel32.DLL are used to thwart debugging.
Based on the familiar CPP functions & a lot of functions being imported from MSVBVM60, MSVCRT and MSCOREE DLL files, we believe the developers may be using Microsoft VC++ and/or Delphi for NetWire RAT.
GetUserName, GetSecurityInfo, GetMonitorInfoA, GetLogonSessionData, and Key Press Events are monitored by the NetWire malware sample. A logged on user’s session data, encoded base 64 strings, key state, key press and keyboard events being monitored could hint at keylogging functionality.
After dumping the strings from our sample PE file, and decoding them with IDAPython, we can realize that the keylogger also records and sends login data from popular web browers such as Firefox, Chrome and Internet Explorer to the NetWire Admin Workstation. The NetWire keylogger module encodes the keystrokes logged after stealing credentials from the logged on user, prior to sending it to NetWire Admin Workstation. You can find a copy of the NetWire log decoder from GitHub.
Payment Data Being Stolen
LMNTRIX CDC analysts discovered payment being collected for exfiltration by NetWire trojan while investigating the keylogger module further.
Remote Access Tool (RAT)
Netwire Developers from World Wired Labs have implemented the remote access tool functionality using a simple TCP Client-Server model with sockets.
NetWire infects its victims using initial infection vectors of the mal-spam variety with e-mail attachment (EML). It contains a Microsoft Office (Excel) document with VBA macro enabled content. The malware tricks the user to enable the macros to perform malicious actions. Once the user enables the macro content, using Wscript file to drop a payload file in the %temp% folder, it then invokes a web-request and connects with the designated C2 server for further infection.
Technical Analysis of XLS
Once the user opens the attached document, there’s a fake Excel template displaying a message “Document created in earlier version of MS Excel” upon enabling the content, the victim now views the content. With the help of this malware the threat actor can trick the user to view the document, and infect them for further malicious actions.
Embedded Macro Content: Screenshot 1
Embedded Macro Content: Screenshot 2
VBA code in the screenshot (above) is obfuscated with random functions in order to hide the exact code. It’s one of the tricks used by the malware author. Macros is a programmable pattern which translates a certain sequence of input into a preset sequence of output. Macros can make tasks less repetitive automating a complicated sequence of keystrokes, mouse movements, commands, or other types of user input.
Macro-Enabled, Process Tree
Once the macros are enabled, using the Wscript shell to execute and drop the payload file in %temp% folder [ Actual, file will be BIN[.]exe].
Dropped VBS Script
Here the command is very straight forward, using the cmd[..]exe the malware connects to the malicious domain and drops the payload file in the Windows %temp% folder. The dropped vbs file gets executed in %temp% folder as well.
Dropped Payload file
Initial – Indicator of Compromises [IOC]
Once communicating with the malicious URL, it’s silently drops a .VBS script file in the %AppData% folder to perform further malicious actions.
- Usage of anti-malware software such as antivirus or, any endpoint protection such as LMNTRIX EDR / EPP with updates.
- Beware of e-mails from unknown contacts or, untrusted external sources.
- Always make it a practice to scan attachments that you may find suspicious, especially when the e-mails are related to financial or delivery correspondence, documents, and URLs.
- Use a strong password, preferably 16 to 18 characters, or more with a combination of alphabets, numbers and symbols.
- We recommend using multi factor authentication for website login / passwords for all websites.
Indicators of Compromise to detect NetWire RAT
MITRE ATT&CK Tactics & Techniques
|TA0001||Initial Access||T1566.001 – Spearphishing Attachment T1566.002 – Spearphishing Link|
|TA0002||Execution||T1027 – Obfuscated Files or Information T1059.005 – Visual Basic T1204.002 – Malicious File|
|TA0003||Persistence||T1053.005 – Scheduled Task T1547.001 – Registry Run Keys / Startup Folder|
|TA0004||Privilege Escalation||T1053.005 – Scheduled Task|
|TA0005||Defense Evasion||T1027.002 – Software Packing T1055 – Process Injection T1055.012 – Process Hollowing T1497.001 – System Checks|
|TA0006||Credential Access||T1003 – OS Credential Dumping T1110.001 – Password Guessing T1555.003 – Credentials from Web Browsers|
|TA0007||Discovery||T1016 – System Network Configuration Discovery|
|TA0011||C&C Server||T1071.001 – Web Protocols T1090 – Proxy T1090.002 – External Proxy|