{
	"id": "db5b1b18-a16c-4bd8-9bf6-118d20436e26",
	"created_at": "2026-04-06T00:15:17.790653Z",
	"updated_at": "2026-04-10T03:21:31.374182Z",
	"deleted_at": null,
	"sha1_hash": "88515eea95cbbe3d864ba113755d45bd0178032d",
	"title": "Trapping the Netwire RAT on Linux",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63716,
	"plain_text": "Trapping the Netwire RAT on Linux\r\nBy susannah.matt@redcanary.com\r\nPublished: 2020-01-30 · Archived: 2026-04-05 23:17:15 UTC\r\nAdversaries today have a slew of remote access trojans (RAT) to choose from, ranging from .NET tools for\r\nWindows to cross-platform RATs that work across multiple operating systems, such as CrossRAT, Pupy, and\r\nNetwire. While public research abounds examining the Windows and macOS versions of Netwire, the Linux\r\nvariety is considerably less well known. Today we want to shed some extra light on Netwire for Linux.\r\nIntro to Netwire\r\nNetwire is a RAT distributed by World Wired Labs and marketed as a remote management tool. It allows remote\r\naccess to Windows, macOS, Linux, and Solaris systems, and is primarily used to transfer files and conduct system\r\nmanagement in multiple ways.\r\nOnce you go beyond the initial veneer of legitimacy, you may notice some additional features that aren’t as\r\nbenign. These include:\r\nkeylogging\r\nmasquerading network traffic with a browser user-agent string\r\ncapturing screenshots\r\naccessing credentials in web browsers.\r\nNetwire allows the people using it to pivot their traffic through proxies and listen on whatever ports they need to\r\nreceive encrypted command and control. A quick summary of the ATT\u0026CK techniques used by Netwire are listed\r\nin a table at the end of this post, with the Linux-specific ones in bold.\r\nThe notes section in the table includes links to Atomic Red Team tests, which can help you test your security\r\ncontrols with commands similar to the ones Netwire would actually use.\r\nThe Linux Specifics\r\nMost of the functionality of Netwire is the same across platforms, with some minor exceptions. The Windows\r\nRegistry doesn’t exist on non-Windows systems, so the persistence mechanisms have to change. In addition, the\r\nbinary formats will be different across platforms. The Windows and macOS versions use Portable Executable and\r\nMach-O, respectively. For Linux and Solaris, the binaries are in Executable and Linkable Format (ELF).\r\nThe persistence mechanisms also change, offering the options to use XDG Autostart Entries and crontabs for\r\npersistence. We’ve waxed lyrical about crontabs before, but we haven’t explored XDG Autostart Entries in detail.\r\nThese artifacts are similar to the Start Menu Startup Items for Windows.\r\nhttps://redcanary.com/blog/netwire-remote-access-trojan-on-linux/\r\nPage 1 of 6\n\nOn any Unix-like system that uses a Freedesktop.org XDG-compliant desktop, you can add an autostart entry to\r\nexecute an application or script when the desktop loads. These files usually exist under these folders, although you\r\ncan change them with environment variables:\r\n/etc/xdg/autostart\r\n~/.config/autostart\r\nThe Autostart Entry itself usually has a file extension of ‘.desktop.’ Its contents will look something like this:\r\n[Desktop Entry]\r\nType=Application\r\nExec=/home/user/.config/dbus-notifier/dbus-inotifier\r\nName=system service d-bus notifier\r\nNetwire isn’t the only tool that uses this persistence mechanism: it has been used by Fysbis, Pupy, jRAT, and\r\nCrossRAT. In the case of Netwire, users can specify the name of the Autostart Entry and make it masquerade as\r\nsomething like a Linux system process if desired.\r\nInto the Lab!\r\nWe ran across this Netwire sample on VirusTotal, with all of the other malware in the world.\r\nWe decided to download it and throw it into the test lab. At the bottom of the page we’ll include a link to the\r\nsample we used for analysis.\r\nAfter executing the sample, we noticed the sample copied itself to a hidden folder and launched from the hidden\r\nfolder. This is a good first step to hide itself from casual observation on disk.\r\nhttps://redcanary.com/blog/netwire-remote-access-trojan-on-linux/\r\nPage 2 of 6\n\nThis functionality corresponds to a configuration by the operator to install a copy of the RAT to a local folder for\r\nlonger-term residence.\r\nNext, additional telemetry shows the creation of Netwire’s .desktop persistence mechanism and the creation of\r\ntwo additional files.\r\nhttps://redcanary.com/blog/netwire-remote-access-trojan-on-linux/\r\nPage 3 of 6\n\nThe file /tmp/.rOuYXzdOF was most likely used as a mutex, ensuring only one copy of Netwire could run at a\r\ntime. Next, .default.conf was a configuration file storing data required for Netwire to communicate with\r\ncommand and control. On the Windows side, this is usually stored in the Registry. Finally, network connections\r\nwere established for control by an adversary.\r\nAttributing to Netwire\r\nWe worked with this sample from VirusTotal.\r\nFor attribution to Netwire, we relied on a few data points. First, we took note of the antivirus detection rate and\r\nclassification in VT. Next, we leaned on Patrick Wardle’s analysis of a Netwire variant for macOS. In the post, he\r\nprovided several strings of interest that were extracted from the macOS Netwire sample. When we compared these\r\nstrings against the Linux variant, we found 14 common strings that correspond with a user-agent string, network\r\nconfiguration discovery, and a rather unique string that may correspond to a session ID or password. The strings\r\nthat matched are below:\r\n/bin/bash\r\nhttps://redcanary.com/blog/netwire-remote-access-trojan-on-linux/\r\nPage 4 of 6\n\n/bin/sh\r\n/tmp/.%s\r\nAccept-Language: en-US,en;q=0.8\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nCONNECT %s:%d HTTP/1.0\r\nCurrent IP Address:\r\nGET / HTTP/1.1\r\nHost: %s:%d\r\nHost: checkip.dyndns.org\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko\r\ncheckip.dyndns.org\r\nexit\r\nhyd7u5jdi8\r\nFinally, we matched up the remaining strings with the functionality of Netwire mentioned in a user manual\r\navailable online. The release notes for a newer version of Netwire mentioned crontab support for persistence, and\r\nwe observed a string indicating the agent might use a crontab -l command, although none was observed during\r\nexecution earlier. We also observed strings indicating the use of HTTP and SOCKS proxy functions that were\r\ndescribed in the Netwire manual. We assert with high confidence that this sample is a Netwire variant and is\r\nrepresentative of a newer version.\r\nBringing a lesser known variant of malware to the public is always fun, and hopefully the details shared here will\r\nhelp prevent or detect RATs in your environment!\r\nhttps://redcanary.com/blog/netwire-remote-access-trojan-on-linux/\r\nPage 5 of 6\n\nSource: https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/\r\nhttps://redcanary.com/blog/netwire-remote-access-trojan-on-linux/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/"
	],
	"report_names": [
		"netwire-remote-access-trojan-on-linux"
	],
	"threat_actors": [],
	"ts_created_at": 1775434517,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88515eea95cbbe3d864ba113755d45bd0178032d.pdf",
		"text": "https://archive.orkl.eu/88515eea95cbbe3d864ba113755d45bd0178032d.txt",
		"img": "https://archive.orkl.eu/88515eea95cbbe3d864ba113755d45bd0178032d.jpg"
	}
}