Actor(s): APT33
URLhausNetwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.
Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:
for i in range(0,num_read):
buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF
http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/ |
https://www.circl.lu/pub/tr-23/ |
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html |
http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html |
https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data |
https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/ |
rule win_netwire_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2018-11-23"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator 0.1a"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
malpedia_version = "20180607"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using yara-signator.
* The code and documentation / approach will be published in the near future here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 88460c 8b4314 c1e808 88460d }
// n = 4, score = 6000
// 88460c | mov byte ptr [esi + 0xc], al
// 8b4314 | mov eax, dword ptr [ebx + 0x14]
// c1e808 | shr eax, 8
// 88460d | mov byte ptr [esi + 0xd], al
$sequence_1 = { 88460b 8b4314 88460c 8b4314 }
// n = 4, score = 6000
// 88460b | mov byte ptr [esi + 0xb], al
// 8b4314 | mov eax, dword ptr [ebx + 0x14]
// 88460c | mov byte ptr [esi + 0xc], al
// 8b4314 | mov eax, dword ptr [ebx + 0x14]
$sequence_2 = { 88460d 0fb74316 88460e 0fb64317 }
// n = 4, score = 6000
// 88460d | mov byte ptr [esi + 0xd], al
// 0fb74316 | movzx eax, word ptr [ebx + 0x16]
// 88460e | mov byte ptr [esi + 0xe], al
// 0fb64317 | movzx eax, byte ptr [ebx + 0x17]
$sequence_3 = { c744240c00000000 c744240800000000 c744240400000000 c7042410000000 }
// n = 4, score = 6000
// c744240c00000000 | mov dword ptr [esp + 0xc], 0
// c744240800000000 | mov dword ptr [esp + 8], 0
// c744240400000000 | mov dword ptr [esp + 4], 0
// c7042410000000 | mov dword ptr [esp], 0x10
$sequence_4 = { 8b911c020000 89442410 89542414 0fb68128020000 }
// n = 4, score = 6000
// 8b911c020000 | mov edx, dword ptr [ecx + 0x21c]
// 89442410 | mov dword ptr [esp + 0x10], eax
// 89542414 | mov dword ptr [esp + 0x14], edx
// 0fb68128020000 | movzx eax, byte ptr [ecx + 0x228]
$sequence_5 = { 0fb74316 88460e 0fb64317 88460f }
// n = 4, score = 6000
// 0fb74316 | movzx eax, word ptr [ebx + 0x16]
// 88460e | mov byte ptr [esi + 0xe], al
// 0fb64317 | movzx eax, byte ptr [ebx + 0x17]
// 88460f | mov byte ptr [esi + 0xf], al
$sequence_6 = { 7412 83fa03 7421 4a }
// n = 4, score = 6000
// 7412 | je 0x40da44
// 83fa03 | cmp edx, 3
// 7421 | je 0x40da58
// 4a | dec edx
$sequence_7 = { 884602 0fb6430b 884603 8b430c }
// n = 4, score = 6000
// 884602 | mov byte ptr [esi + 2], al
// 0fb6430b | movzx eax, byte ptr [ebx + 0xb]
// 884603 | mov byte ptr [esi + 3], al
// 8b430c | mov eax, dword ptr [ebx + 0xc]
$sequence_8 = { c7430c00000000 c7431000000000 c7431400000000 c70300000000 }
// n = 4, score = 6000
// c7430c00000000 | mov dword ptr [ebx + 0xc], 0
// c7431000000000 | mov dword ptr [ebx + 0x10], 0
// c7431400000000 | mov dword ptr [ebx + 0x14], 0
// c70300000000 | mov dword ptr [ebx], 0
$sequence_9 = { 8974240c c744240801000000 c744240407000000 891c24 }
// n = 4, score = 6000
// 8974240c | mov dword ptr [esp + 0xc], esi
// c744240801000000 | mov dword ptr [esp + 8], 1
// c744240407000000 | mov dword ptr [esp + 4], 7
// 891c24 | mov dword ptr [esp], ebx
condition:
7 of them
}
rule win_netwire_w0 {
meta:
description = "NetWiredRC"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2014-12-23"
filetype = "memory"
version = "1.1"
source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
malpedia_version = "20170517"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$mutex = "LmddnIkX"
$str1 = "%s.Identifier"
$str2 = "%d:%I64u:%s%s;"
$str3 = "%s%.2d-%.2d-%.4d"
$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
$klg1 = "[Backspace]"
$klg2 = "[Enter]"
$klg3 = "[Tab]"
$klg4 = "[Arrow Left]"
$klg5 = "[Arrow Up]"
$klg6 = "[Arrow Right]"
$klg7 = "[Arrow Down]"
$klg8 = "[Home]"
$klg9 = "[Page Up]"
$klg10 = "[Page Down]"
$klg11 = "[End]"
$klg12 = "[Break]"
$klg13 = "[Delete]"
$klg14 = "[Insert]"
$klg15 = "[Print Screen]"
$klg16 = "[Scroll Lock]"
$klg17 = "[Caps Lock]"
$klg18 = "[Alt]"
$klg19 = "[Esc]"
$klg20 = "[Ctrl+%c]"
condition:
$mutex or (1 of ($str*) and 1 of ($klg*))
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule win_netwire_w1 {
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/NetWire"
maltype = "Remote Access Trojan"
filetype = "exe"
source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
malpedia_version = "20170517"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$string1 = "[Scroll Lock]"
$string2 = "[Shift Lock]"
$string3 = "200 OK"
$string4 = "%s.Identifier"
$string5 = "sqlite3_column_text"
$string6 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
condition:
all of them
}