{ "id": "86889508-8460-44d3-82ea-00e198bf1976", "created_at": "2026-04-06T03:36:56.902855Z", "updated_at": "2026-04-10T03:36:48.282243Z", "deleted_at": null, "sha1_hash": "fd4788e38ca40d87eda3dd1e36f021076f22fe80", "title": "Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1128941, "plain_text": "Dissecting a NETWIRE Phishing Campaign's Usage of Process\r\nHollowing | Mandiant\r\nBy Mandiant\r\nPublished: 2019-03-15 · Archived: 2026-04-06 03:34:22 UTC\r\nWritten by: Sumith Maniath, Prashanth Krushna Kadam\r\nIntroduction\r\nMalware authors attempt to evade detection by executing their payload without having to write the executable file\r\non the disk. One of the most commonly seen techniques of this \"fileless\" execution is code injection. Rather than\r\nexecuting the malware directly, attackers inject the malware code into the memory of another process that is\r\nalready running.\r\nDue to its presence on all Windows 7 and later machines and the sheer number of supported features, PowerShell\r\nhas been a favorite tool of attackers for some time. FireEye has published multiple reports where PowerShell was\r\nused during initial malware delivery or during post-exploitation activities. Attackers have abused PowerShell to\r\neasily interact with other Windows components to perform their activities with stealth and speed.\r\nThis blog post explores a recent phishing campaign observed in February 2019, where an attacker targeted\r\nmultiple customers and successfully executed their payload without having to write the executable dropper or the\r\npayload to the disk. The campaign involved the use of VBScript, PowerShell and the .NET framework to perform\r\na code injection attack using a process hollowing technique. The attacker abused the functionality of loading .NET\r\nassembly directly into memory of PowerShell to execute malicious code without creating any PE files on the disk.\r\nActivity Summary\r\nThe user is prompted to open a document stored on Google Drive. The name of the file, shown in Figure 1,\r\nsuggests that the actor was targeting members of the airline industry that use a particular aircraft model. We have\r\nobserved an increasing number of attackers relying on cloud-based file storage services that bypass firewall\r\nrestrictions to host their payload.\r\nhttps://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nPage 1 of 10\n\nFigure 1: Malicious script hosted on Google Drive\r\nAs seen in Figure 2, attempting to open the script raises an alert from Internet Explorer saying that the publisher\r\ncould not be verified. In our experience, many users will choose to ignore the warning and open the document.\r\nFigure 2: Alert raised by Internet Explorer\r\nUpon execution, after multiple levels of obfuscation, a PowerShell script is executed that loads a .NET assembly\r\nfrom a remote URL, functions of which are then used to inject the final payload (NETWIRE Trojan) into a benign\r\nMicrosoft executable using process hollowing. This can potentially bypass application whitelisting since all\r\nprocesses spawned during the attack are legitimate Microsoft executables.\r\nTechnical Details\r\nThe initial document contains VBScript code. When the user opens it, Wscript is spawned by iexplore to execute\r\nthis file. The script uses multiple layers of obfuscation to bypass static scanners, and ultimately runs a PowerShell\r\nhttps://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nPage 2 of 10\n\nscript for executing the binary payload.\r\nObfuscation techniques used during different levels of script execution are shown in Figure 3 and Figure 4.\r\nFigure 3: Type 1 obfuscation technique, which uses log functions to resolve a wide character\r\nFigure 4: Type 2 obfuscation technique, which uses split and replace operations\r\nThis script then downloads and executes another encoded .vbs script from a paste.ee URL, as seen in Figure 5.\r\nPaste.ee is a less regulated alternative to Pastebin and we have seen multiple attacks using this service to host the\r\npayload. Since the website uses TLS, most firewall solutions cannot detect the malicious content being\r\ndownloaded over the network.\r\nhttps://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nPage 3 of 10\n\nFigure 5: Downloading the second-stage script and creating a scheduled task\r\nThe script achieves persistence by copying itself to Appdata/Roaming and using schtasks.exe to create a scheduled\r\ntask that runs the VBScript every 15 minutes.\r\nAfter further de-obfuscation of the downloaded second-stage VBScript, we obtain the PowerShell script that is\r\nexecuted through a shell object, as shown in Figure 6.\r\nFigure 6: De-obfuscated PowerShell script\r\nThe PowerShell script downloads two Base64-encoded payloads from paste.ee that contain binary executable\r\nfiles. The strings are stored as PowerShell script variables and no files are created on disk.\r\nhttps://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nPage 4 of 10\n\nMicrosoft has provided multiple ways of interacting with the .NET framework in PowerShell to enhance it\r\nthrough custom-developed features. These .NET integrations with PowerShell are particularly attractive to\r\nattackers due to the limited visibility that traditional security monitoring tools have around the runtime behaviors\r\nof .NET processes. For this reason, exploit frameworks such as CobaltStrike and Metasploit have options to\r\ngenerate their implants in .NET assembly code.\r\nHere, the attackers have used the Load method from the System.Reflection.Assembly .NET Framework class. After\r\nthe assembly is loaded as an instance of System.Reflection.Assembly, the members can be accessed through that\r\nobject similarly to C#, as shown in Figure 7.\r\nFigure 7: Formatted PowerShell code\r\nThe code identifies the installed version of .NET and uses it later to dynamically resolve the path to the .NET\r\ninstallation folder. The decoded dropper assembly is passed as an argument to the Load method. The resulting\r\nclass instance is stored as a variable.\r\nThe objects of the dropper are accessed through this variable and method R is invoked. Method R of the .NET\r\ndropper is responsible for executing the final payload.\r\nThe following are the parameters for method R:\r\nPath to InstallUtil.exe (or other .NET framework tools)\r\nDecoded NETWIRE trojan\r\nWhen we observed the list of processes spawned during the attack (Figure 8), we did not see the payload spawned\r\nas a separate process.\r\nhttps://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nPage 5 of 10\n\nFigure 8: Processes spawned during attack\r\nWe observed that the InstallUtil.exe process was being created in suspended mode. Once it started execution, we\r\ncompared its memory artifacts to a benign execution of InstallUtil.exe and concluded that the malicious payload is\r\nbeing injected into the memory of the newly spawned InstallUtil.exe process. We also observed that no arguments\r\nare passed to InstallUtil, which would cause an error under normal execution since InstallUtil always expects at\r\nleast one argument.\r\nFrom a detection evasion perspective, the attacker has chosen an interesting approach. Even if the PowerShell\r\nprocess creation is detected, InstallUtil.exe is executed from its original path. Furthermore, InstallUtil.exe is a\r\nbenign file often used by internal automations. To an unsuspecting system administrator, this might not seem\r\nmalicious.\r\nWhen we disassembled the .NET code and removed the obfuscation to understand how code injection was\r\nperformed, we were able to identify Windows win32 API calls associated with process hollowing (Figure 9).\r\nhttps://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nPage 6 of 10\n\nFigure 9: Windows APIs used in .NET dropper for process hollowing\r\nAfter reversing and modifying the code of the C# dropper to invoke R from main, we were able to confirm that\r\nwhen the method R is invoked, InstallUtil.exe is spawned in suspended mode. The memory blocks of the\r\nsuspended process are unmapped and rewritten with the sections of the payload program passed as an argument to\r\nmethod R. The thread is allowed to continue after changes have been made to the entry point. When the process\r\nhollowing is complete, the parent PowerShell process is terminated.\r\nHigh-Level Analysis of the Payload\r\nThe final payload was identified by FireEye Intelligence as a NETWIRE backdoor. The backdoor receives\r\ncommands from a command and control (C2) server, performs reconnaissance that includes the collection of user\r\ndata, and returns the information to the C2 server.\r\nCapabilities of the NETWIRE backdoor include key logging, reverse shell, and password theft. The backdoor uses\r\na custom encryption algorithm to encrypt data and then writes it to a file created in the ./LOGS directory.\r\nThe malware also contains a custom obfuscation algorithm to hide registry keys, APIs, DLL names, and other\r\nstrings from static analysis. Figure 10 provides the decompiled version of the custom decoding algorithm used on\r\nhttps://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nPage 7 of 10\n\nthese strings.\r\nFigure 10: Decompiled string decoding algorithm\r\nFrom reversing and analyzing the behavior of the malware, we were able to identify the following capabilities:\r\nRecord mouse and keyboard events\r\nCapture session logon details\r\nCapture system details\r\nTake screenshots\r\nMonitor CPU usage\r\nCreate fake HTTP proxy\r\nFrom the list of decoded strings, we were able to identify other features of this sample:\r\n“POP3”\r\n“IMAP”\r\n“SMTP”\r\n“HTTP”\r\n\"Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows Messaging\r\nSubsystem\\\\Profiles\\\\Outlook\\\\”\r\n\"Software\\\\Microsoft\\\\Office\\\\15.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\”\r\n\"Software\\\\Microsoft\\\\Office\\\\16.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\”\r\nStealing data from\r\nan email client\r\nhttps://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nPage 8 of 10\n\n“\\Google\\Chrome\\User Data\\Default\\Login Data”\r\n“\\Chromium\\User Data\\Default\\Login Data”\r\n“\\Comodo\\Dragon\\User Data\\Default\\Login Data”\r\n“\\Yandex\\YandexBrowser\\User Data\\Default\\Login Data”\r\n“\\Opera Software\\Opera Stable\\Login Data”\r\n“Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2”\r\n“vaultcli.dll:\r\nVaultOpenVault,VaultCloseVault,VaultEnumerateItem,VaultGetItem,VaultFree”\r\n“select * from moz_login”\r\nStealing login\r\ndetails from\r\nbrowsers\r\nA complete report on the NETWIRE backdoor family is available to customers who subscribe to the FireEye\r\nIntelligence portal.\r\nIndicators of Compromise\r\nHost-based indicators:\r\ndac4ed7c1c56de7d74eb238c566637aa Initial attack vector .vbs file\r\nNetwork-based indicators:\r\n178.239.21.]62:1919\r\nkingshakes[.]linkpc[.]net\r\n105.112.35[.]72:3575\r\nhomi[.]myddns[.]rocks\r\nC2 domains of NETWIRE Trojan\r\nFireEye Detection\r\nFireEye detection names for the indicators in the attack:\r\nhttps://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nPage 9 of 10\n\nEndpoint security\r\nExploit Guard: Blocks execution of wscript\r\nIOC: POWERSHELL DOWNLOADER D (METHODOLOGY)\r\nAV: Trojan.Agent.DRAI\r\nNetwork Security Backdoor.Androm\r\nEmail Security\r\nMalicious.URL\r\nMalware.Binary.vbs\r\nConclusion\r\nMalware authors continue to use different \"fileless\" process execution techniques to reduce the number of\r\nindicators on an endpoint. The lack of visibility into .NET process execution combined with the flexibility of\r\nPowerShell makes this technique all the more effective.\r\nFireEye Endpoint Security and the FireEye Network Security detect and block this attack at several stages of the\r\nattack chain.\r\nAcknowledgement\r\nWe would like to thank Frederick House, Arvind Gowda, Nart Villeneuve and Nick Carr for their valuable\r\nfeedback.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nhttps://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" ], "report_names": [ "dissecting-netwire-phishing-campaigns-usage-process-hollowing" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446616, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd4788e38ca40d87eda3dd1e36f021076f22fe80.pdf", "text": "https://archive.orkl.eu/fd4788e38ca40d87eda3dd1e36f021076f22fe80.txt", "img": "https://archive.orkl.eu/fd4788e38ca40d87eda3dd1e36f021076f22fe80.jpg" } }