Netwire Remote Access Trojan (RAT)

Overview On 22 October, we observed an email campaign distributing the Netwire remote access trojan (RAT), also known as Recam and NetWiredRC.1 Since 2012, threat actors and at least one advanced persistent threat (APT) group2 have been using this publicly available, multiplatform tool in campaigns targeting a variety of systems and industries in the Middle East.

Customer Impact Netwire’s capabilities include keylogging and credential stealing, as well as reading, writing and deleting victim data. On 23 September, Fortinet reported finding a new variant that uses anti-sandboxing and anti-debugging techniques to evade attempts at analysis. One of the checks Netwire conducts is to wait for the victim to move their mouse and produce two different cursor positions before continuing to run.3

Fortinet also found that among the software credentials stored on a victim’s computer, Netwire focused on stealing those for 360Chrome, Opera, Mozilla Firefox, Mozilla SeaMonkey, Google Chrome, Comodo Dragon browser, YandexBrowser, Brave-Browser, Mozilla Thunderbird, Microsoft Outlook, and Pidgin.

Campaign Analysis In the campaign we observed, the emails spoofed a message from a trading company and claimed to contain a purchase order for October. The body sought to lure the recipient into opening the attached file by requesting that they return the invoice with a corrected number to the manager in the signature block.

All the email attachments in the campaign had the same file SHA256 hash. The attachment was a tape archive (TAR) file that was named to look like a Microsoft Excel file, and which decompressed to an EXE of the same name.

In this campaign, as in others, Netwire took advantage of shared hosting sites for its communication and infrastructure.

Attack Chain When we ran our sample, we saw that once the email recipient unzips the TAR file and runs the executable, it creates a new folder where it drops and launches the Netwire payload. The executable also runs a Visual Basic Script (VBS) that achieves persistence by adding itself to Windows Startup.

TLP: WHITE https://www.us-cert.gov/tlp In our Windows 7 Professional, 32-bit environment on 24 Target Receives Spam Email, Open Attachment October, the malware attempted TCP communications over atypical ports to the shared hosting sites. Our sample did not receive responses, however, and terminated its processes at this point.

Target Executes Unzipped File Vulnerabilities & Mitigation The campaign we observed was not large, and the nature of the lure used (the trading company) appears to imply a more targeted campaign. Nevertheless, the threat actors EXE Creates Video Folder and Drops Netwire distributed Netwire via malspam, which can be prevented Payload File by taking the following precautions: • Regularly train users to be aware of potential phishing efforts and how to handle them appropriately.

EXE Runs VBS Script to Achieve Persistence • Be cautious of emails from unfamiliar senders and inspect unexpected attachments before opening them. • Always be suspicious of unexpected emails, especially regarding financial or delivery correspondence, documents, or links. Netwire Attempts to Reach Out to C2 • Verify important or potentially legitimate attachments with the sender via alternative means (e.g., by phone or in person) before opening them.

Endnotes

1. https://www.bleepingcomputer.com/news/security/new-wiryjmper-dropper-hides-netwire-rat-payloads-in-plain-sight/ 2. https://attack.mitre.org/software/S0198/ 3. https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html

Infoblox enables next level network experiences with its Secure Cloud-Managed Network Services. As the pioneer in providing the world’s most reliable, secure and automated networks, we are relentless in our pursuit of network simplicity. A recognized industry leader, Infoblox has 50 percent market share comprised of 8,000 customers, including 350 of the Fortune 500.