# Analysis of Netwire RAT **lmntrix.com/lab/analysis-of-netwire-rat/** The NetWire RAT is malicious remote access trojan that emerged in the wild in 2012. This multi-platform malware was developed by World Wired Labs, and the program has since undergone several developmental upgrades. It is capable of infecting Windows, Linux, Mac OS operating systems. The malware developers have another program called PWNDROID released in mid-2020, for the Android platform. A company advertising the remote access tool frequently used by criminals and, nation-state threats may be serving as a front for Chinese hacking groups, according to new research published recently. The PWNDROID Android malware type, which can be used to listen in on targets’ phone calls, capture audio, send and receive text messages, and track victims’ geolocation. Multiple groups with possible ties to the Chinese government, is thought to have used it, according to LMNTRIX CDC. Recent APT attacks which leverage and drop the NetWire payload get distributed via social engineering e-mails. This Trojan (RAT) is mainly focused on password stealing and keylogging, as well as including remote control capabilities. Recently, NetWire has been distributed via Microsoft office documents and spreading their secondary payload attacks especially GuLoader campaigns. Target OS: Windows, Linux, Mac OS Motivation: Remote Access Tool & APT Campaigns Threat Actors: APT33, The White Company & Silver Terrier groups potentially use the Netwire RAT. ## Static Analysis Sample: NetWire Remote Access Tool SHA256: e4029ef5d391b9a380ed98a45f3e5a01eece6b7a1120ab17d6db0f8bb1309a47 Filetype: Portable Executable (EXE) **Common Anti-Debugging Methods Used** When the sample was loaded into Ollydbg, and we got the disassembly to start with, NetWire displayed the following error message. In addition to this error message, the malware uses NtWow64ReadVirtualMemory64 from NTDLL to query the PEB (process environment block), ----- and a timing based check such as GetTickCount from Kernel32.DLL are used to thwart debugging. **Keylogger Functions** Based on the familiar CPP functions & a lot of functions being imported from MSVBVM60, MSVCRT and MSCOREE DLL files, we believe the developers may be using Microsoft VC++ and/or Delphi for NetWire RAT. ----- GetUserName, GetSecurityInfo, GetMonitorInfoA, GetLogonSessionData, and Key Press Events are monitored by the NetWire malware sample. A logged on user’s session data, encoded base 64 strings, key state, key press and keyboard events being monitored could hint at keylogging functionality. ----- After dumping the strings from our sample PE file, and decoding them with IDAPython, we can realize that the keylogger also records and sends login data from popular web browers such as Firefox, Chrome and Internet Explorer to the NetWire Admin Workstation. The NetWire keylogger module encodes the keystrokes logged after stealing credentials from the logged on user, prior to sending it to NetWire Admin Workstation. You can find a copy of the NetWire log decoder from GitHub. Refer [https://github.com/ArsenalRecon/NetWireLogDecoder](https://github.com/ArsenalRecon/NetWireLogDecoder) **Payment Data Being Stolen** ----- LMNTRIX CDC analysts discovered payment being collected for exfiltration by NetWire trojan while investigating the keylogger module further. **Remote Access Tool (RAT)** ----- Netwire Developers from World Wired Labs have implemented the remote access tool functionality using a simple TCP Client-Server model with sockets. ## Dynamic Analysis **Infection Chain** ----- NetWire infects its victims using initial infection vectors of the mal-spam variety with e-mail attachment (EML). It contains a Microsoft Office (Excel) document with VBA macro enabled content. The malware tricks the user to enable the macros to perform malicious actions. Once the user enables the macro content, using Wscript file to drop a payload file in the %temp% folder, it then invokes a web-request and connects with the designated C2 server for further infection. **Sample Information** **Technical Analysis of XLS** ----- Once the user opens the attached document, there s a fake Excel template displaying a message “Document created in earlier version of MS Excel” upon enabling the content, the victim now views the content. With the help of this malware the threat actor can trick the user to view the document, and infect them for further malicious actions. **Embedded Macro Content: Screenshot 1** **Embedded Macro Content: Screenshot 2** ----- VBA code in the screenshot (above) is obfuscated with random functions in order to hide the exact code. It’s one of the tricks used by the malware author. Macros is a programmable pattern which translates a certain sequence of input into a preset sequence of output. Macros can make tasks less repetitive automating a complicated sequence of keystrokes, mouse movements, commands, or other types of user input. **Macro-Enabled, Process Tree** Once the macros are enabled, using the Wscript shell to execute and drop the payload file in %temp% folder [ Actual, file will be BIN[.]exe]. **Dropped VBS Script** ----- Here the command is very straight forward, using the cmd[..]exe the malware connects to the malicious domain and drops the payload file in the Windows %temp% folder. The dropped vbs file gets executed in %temp% folder as well. **Dropped Payload file** **Initial – Indicator of Compromises [IOC]** Once communicating with the malicious URL, it’s silently drops a .VBS script file in the %AppData% folder to perform further malicious actions. ## Preventive Measures Usage of anti-malware software such as antivirus or, any endpoint protection such as LMNTRIX EDR / EPP with updates. Beware of e-mails from unknown contacts or, untrusted external sources. ----- Always make it a practice to scan attachments that you may find suspicious, especially when the e-mails are related to financial or delivery correspondence, documents, and URLs. Use a strong password, preferably 16 to 18 characters, or more with a combination of alphabets, numbers and symbols. We recommend using multi factor authentication for website login / passwords for all websites. ## Indicators of Compromise to detect NetWire RAT IP Addresses 94[[.]]237[[.]]28[[.]]110 194[[.]]5[[.]]98[[.]]48 185[[.]]183[[.]]98[[.]]166 185[[.]]222[[.]]57[[.]]164 194[[.]]5[[.]]98[[.]]188 171[[.]]22[[.]]30[[.]]21 185[[.]]140[[.]]53[[.]]252 194[[.]]147[[.]]140[[.]]4 87[[.]]66[[.]]106[[.]]20 71[[.]]81[[.]]62[[.]]106 31[[.]]41[[.]]244[[.]]150 154[[.]]118[[.]]25[[.]]216 79[[.]]134[[.]]225[[.]]28 104[[.]]168[[.]]148[[.]]85 185[[.]]140[[.]]53[[.]]61 79[[.]]134[[.]]225[[.]]10 185[[.]]140[[.]]53[[.]]183 184[[.]]75[[.]]221[[.]]171 ----- 45[[.]]137[[.]]22[[.]]101 213[[.]]152[[.]]161[[.]]133 185[.]29[.]9[.]11 Hashes 07336CC7355B9C4A1553A93D24EBB30A502053339E05FFB57476890D2967B6FC 2387DFD712B954C865BB4927F0628C54BF30B9A115B2383C2DFF63456885463A F488FEAC7359DABA38B793855A5D2369404956892CA23DB7530DC04D77530490 F6226702EC3DED25EC5E0D7D1CBAAE386540E990857EC7604EC93284113B4897 0005A4FB06BB5CACCA4A89B372543A3EFFB0931AF26B0B17D8661B691B401811 E4029EF5D391B9A380ED98A45F3E5A01EECE6B7A1120AB17D6DB0F8BB1309A47 DCAC7C0A08250B164343C102EF9D863A49C44343C6CE3E0CD1197CB7E3198937 8F24221CAEF706D4502572968C0CF1317E632EBCB64157A5A1DAFBDDE7FC642C 1F8B6EBC0FBDB35C0B214652B69360C8DD78B569C9AF9C1B355DD11F277624E2 BC0A8E730EBBE66A98F6AA755671661158A982983898E45D306F79EC608250FE 50050A189F878A24B57ACEDF046ACFE5011DAE30F50A21054A75FCDA2947FF5B 459A609FFDE4325A1E55F7B9A788AB5CF978D3E07C54349B9F9E50F1E6875C89 F631EF4CE81B9A0984D44A9468DB2AE30CB37BDAD67AAEB43F53D50039D8C5AA 0CDC6A0C287876DBCFC14A93CAE8EB6FEB6938142814A9FB4E403F000D469CAB 3AFEECA8EE5FA67BF62BB84C10E02FE82032CBE034CCB4588708367FD5D66E8F 45CFB912F4CEED9DCF0EEE01F36A1C581A0E881301D73A2E1E459E48488B95BA A21C8EF38B35EDA08AF936729863498EAD8F750DE997BC2D55FF9DA429872E33 848A8084A39B1BFA98C65B0E55BF91460B82470A3F9F5B31D7464C400A9DA355 637E17723EA88878915BA42095680EE5438C22A88A4538137B3174DD4E2E8C6A 4C01CC3DD96C524054207F6B37A334C62549857F Domains ----- 8ea1042a1912[[.]]ngrok[[.]]io e0fb-34-121-202-111[[.]]ngrok[[.]]io d61a2ce46962[[.]]ngrok[[.]]io 2d9076b51d13[[.]]ngrok[[.]]io 8ef628b4602c[[.]]ngrok[[.]]io ebc79a7f69ed[[.]]ngrok[[.]]io 3a47ff971faf[[.]]ngrok[[.]]io 30fdb4c296af[[.]]ngrok[[.]]io 192913f09fa8[[.]]ngrok[[.]]io 52e0ff58833f[[.]]ngrok[[.]]io ce47174fc1d2[[.]]ngrok[[.]]io 9ea2ac777bb9[[.]]ngrok[[.]]io 4651479e198f[[.]]ngrok[[.]]io 6856dac09e83[[.]]ngrok[[.]]io 0b1a1cdfc942[[.]]ngrok[[.]]io c5040e5692cf[[.]]ngrok[[.]]io e5d6f8fc0027[[.]]ngrok[[.]]io jcole-lms[[.]]ngrok[[.]]io 877de57c5ace[[.]]ngrok[[.]]io e5927c359c3c[[.]]ngrok[[.]]io love82[.]duckdns[.]org Registry Entry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\NetWire HKEY CURRENT USER\Software\NetWire\HostId ----- ## MITRE ATT&CK Tactics & Techniques ID Tactic Technique TA0001 Initial Access T1566.001 – Spearphishing Attachment T1566.002 – Spearphishing Link TA0002 Execution T1027 – Obfuscated Files or Information T1059.005 – Visual Basic T1204.002 – Malicious File TA0003 Persistence TA0004 Privilege Escalation TA0005 Defense Evasion TA0006 Credential Access T1053.005 – Scheduled Task T1547.001 – Registry Run Keys / Startup Folder T1053.005 – Scheduled Task T1027.002 – Software Packing T1055 – Process Injection T1055.012 – Process Hollowing T1497.001 – System Checks T1003 – OS Credential Dumping T1110.001 – Password Guessing T1555.003 – Credentials from Web Browsers TA0007 Discovery T1016 – System Network Configuration Discovery TA0011 C&C Server T1071.001 – Web Protocols T1090 – Proxy T1090.002 – External Proxy -----