SYMBOLCOMMON_NAMEaka. SYNONYMS
win.netwire (Back to overview)

NetWire RC

aka: NetWeird, NetWire, Recam

Actor(s): APT33

URLhaus      

Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.

Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:

for i in range(0,num_read):
buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF

References
2020-06-15Amnesty InternationalAmnesty International
@online{international:20200615:india:2e4e60b, author = {Amnesty International}, title = {{India: Human Rights Defenders Targeted by a Coordinated Spyware Operation}}, date = {2020-06-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/}, language = {English}, urldate = {2020-06-16} } India: Human Rights Defenders Targeted by a Coordinated Spyware Operation
NetWire RC
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-03-05VinCSSDang Dinh Phuong
@online{phuong:20200305:re011:4496e8a, author = {Dang Dinh Phuong}, title = {{[RE011] Unpack crypter của malware Netwire bằng x64dbg}}, date = {2020-03-05}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html}, language = {Vietnamese}, urldate = {2020-03-11} } [RE011] Unpack crypter của malware Netwire bằng x64dbg
NetWire RC
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:8d36ac3, author = {SecureWorks}, title = {{COBALT TRINITY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-trinity}, language = {English}, urldate = {2020-05-23} } COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-09-12AvastAdolf Středa, Luigino Camastra
@online{steda:20190912:tangle:204c26f, author = {Adolf Středa and Luigino Camastra}, title = {{The tangle of WiryJMPer’s obfuscation}}, date = {2019-09-12}, organization = {Avast}, url = {https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/}, language = {English}, urldate = {2020-01-13} } The tangle of WiryJMPer’s obfuscation
NetWire RC
2019-05-08Dr.WebDr.Web
@online{drweb:20190508:new:06a3aa5, author = {Dr.Web}, title = {{A new threat for macOS spreads as WhatsApp}}, date = {2019-05-08}, organization = {Dr.Web}, url = {https://news.drweb.ru/show/?i=13281&c=23}, language = {English}, urldate = {2020-01-08} } A new threat for macOS spreads as WhatsApp
NetWire RC
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-01-30Samip Pokharel
@online{pokharel:20190130:analysis:df83b7e, author = {Samip Pokharel}, title = {{Analysis of NetWiredRC trojan}}, date = {2019-01-30}, url = {https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/}, language = {English}, urldate = {2020-01-13} } Analysis of NetWiredRC trojan
NetWire RC
2017-12-06CiscoHolger Unterbrink, Christopher Marczewski
@online{unterbrink:20171206:recam:2790363, author = {Holger Unterbrink and Christopher Marczewski}, title = {{Recam Redux - DeConfusing ConfuserEx}}, date = {2017-12-06}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html}, language = {English}, urldate = {2019-12-06} } Recam Redux - DeConfusing ConfuserEx
NetWire RC
2017-09-20FireEyeJacqueline O’Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser
@online{oleary:20170920:insights:27e8253, author = {Jacqueline O’Leary and Josiah Kimble and Kelli Vanderlee and Nalani Fraser}, title = {{Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware}}, date = {2017-09-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html}, language = {English}, urldate = {2019-12-20} } Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware
DROPSHOT Nanocore RAT NetWire RC SHAPESHIFT TURNEDUP APT33
2016-11-28SecureworksIncident Reponse Team
@online{team:20161128:netwire:b81c423, author = {Incident Reponse Team}, title = {{NetWire RAT Steals Payment Card Data}}, date = {2016-11-28}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data}, language = {English}, urldate = {2019-12-18} } NetWire RAT Steals Payment Card Data
NetWire RC
2014-11-26CIRCLCIRCL
@online{circl:20141126:tr23:fb5d867, author = {CIRCL}, title = {{TR-23 Analysis - NetWiredRC malware}}, date = {2014-11-26}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-23/}, language = {English}, urldate = {2020-01-09} } TR-23 Analysis - NetWiredRC malware
NetWire RC
2014-08-04Palo Alto Networks Unit 42Phil Da Silva, Rob Downs, Ryan Olson
@online{silva:20140804:new:826d436, author = {Phil Da Silva and Rob Downs and Ryan Olson}, title = {{New Release: Decrypting NetWire C2 Traffic}}, date = {2014-08-04}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/}, language = {English}, urldate = {2019-12-20} } New Release: Decrypting NetWire C2 Traffic
NetWire RC
Yara Rules
[TLP:WHITE] win_netwire_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_netwire_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? c7042446000000 e8???????? c7042400000000 }
            // n = 4, score = 1100
            //   e8????????           |                     
            //   c7042446000000       | mov                 dword ptr [esp], 0x46
            //   e8????????           |                     
            //   c7042400000000       | mov                 dword ptr [esp], 0

        $sequence_1 = { e8???????? c7042446000000 e8???????? c7042449000000 e8???????? c7042446000000 e8???????? }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   c7042446000000       | mov                 dword ptr [esp], 0x46
            //   e8????????           |                     
            //   c7042449000000       | mov                 dword ptr [esp], 0x49
            //   e8????????           |                     
            //   c7042446000000       | mov                 dword ptr [esp], 0x46
            //   e8????????           |                     

        $sequence_2 = { e8???????? a3???????? c7042440000000 e8???????? }
            // n = 4, score = 1100
            //   e8????????           |                     
            //   a3????????           |                     
            //   c7042440000000       | mov                 dword ptr [esp], 0x40
            //   e8????????           |                     

        $sequence_3 = { c744241004020000 8944240c c744240801000000 c744240407000000 }
            // n = 4, score = 1100
            //   c744241004020000     | mov                 dword ptr [esp + 0x10], 0x204
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   c744240801000000     | mov                 dword ptr [esp + 8], 1
            //   c744240407000000     | mov                 dword ptr [esp + 4], 7

        $sequence_4 = { e8???????? c704244a000000 e8???????? c7042446000000 e8???????? }
            // n = 5, score = 1100
            //   e8????????           |                     
            //   c704244a000000       | mov                 dword ptr [esp], 0x4a
            //   e8????????           |                     
            //   c7042446000000       | mov                 dword ptr [esp], 0x46
            //   e8????????           |                     

        $sequence_5 = { 83ec0c c7442408???????? c7442404???????? c70424???????? e8???????? }
            // n = 5, score = 1100
            //   83ec0c               | sub                 esp, 0xc
            //   c7442408????????     |                     
            //   c7442404????????     |                     
            //   c70424????????       |                     
            //   e8????????           |                     

        $sequence_6 = { c744241000000000 c744240c00000000 c744240800000000 c744240400000000 c7042408000000 e8???????? 83ec14 }
            // n = 7, score = 1100
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   c7042408000000       | mov                 dword ptr [esp], 8
            //   e8????????           |                     
            //   83ec14               | sub                 esp, 0x14

        $sequence_7 = { e8???????? c7042401000000 e8???????? 84c0 }
            // n = 4, score = 1100
            //   e8????????           |                     
            //   c7042401000000       | mov                 dword ptr [esp], 1
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_8 = { a2???????? e8???????? e8???????? e8???????? e8???????? e8???????? }
            // n = 6, score = 1100
            //   a2????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_9 = { 890424 e8???????? 83ec20 3d03010000 }
            // n = 4, score = 1100
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec20               | sub                 esp, 0x20
            //   3d03010000           | cmp                 eax, 0x103

    condition:
        7 of them and filesize < 401408
}
[TLP:WHITE] win_netwire_w0   (20170517 | NetWiredRC)
rule win_netwire_w0 {
	meta:
		description = "NetWiredRC"
		author = "Jean-Philippe Teissier / @Jipe_"
		date = "2014-12-23"
		filetype = "memory"
		version = "1.1" 
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
	strings:
		$mutex = "LmddnIkX"

		$str1 = "%s.Identifier"
		$str2 = "%d:%I64u:%s%s;"
		$str3 = "%s%.2d-%.2d-%.4d"
		$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
		$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
		
		$klg1 = "[Backspace]"
		$klg2 = "[Enter]"
		$klg3 = "[Tab]"
		$klg4 = "[Arrow Left]"
		$klg5 = "[Arrow Up]"
		$klg6 = "[Arrow Right]"
		$klg7 = "[Arrow Down]"
		$klg8 = "[Home]"
		$klg9 = "[Page Up]"
		$klg10 = "[Page Down]"
		$klg11 = "[End]"
		$klg12 = "[Break]"
		$klg13 = "[Delete]"
		$klg14 = "[Insert]"
		$klg15 = "[Print Screen]"
		$klg16 = "[Scroll Lock]"
		$klg17 = "[Caps Lock]"
		$klg18 = "[Alt]"
		$klg19 = "[Esc]"
		$klg20 = "[Ctrl+%c]"

	condition: 
		$mutex or (1 of ($str*) and 1 of ($klg*))
}
[TLP:WHITE] win_netwire_w1   (20170517 | No description)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_netwire_w1 {
	meta:
		author = " Kevin Breen <kevin@techanarchy.net>"
		date = "2014/04"
		ref = "http://malwareconfig.com/stats/NetWire"
		maltype = "Remote Access Trojan"
		filetype = "exe"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
    strings:
        $string1 = "[Scroll Lock]"
        $string2 = "[Shift Lock]"
        $string3 = "200 OK"
        $string4 = "%s.Identifier"
        $string5 = "sqlite3_column_text"
        $string6 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
    condition:
        all of them
}
Download all Yara Rules