win.netwire (Back to overview)

NetWire RC

aka: Recam

Actor(s): APT33

URLhaus      

Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.

Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:

for i in range(0,num_read):
buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF

References
http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/
https://news.drweb.ru/show/?i=13281&c=23
https://www.circl.lu/pub/tr-23/
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html
https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data
https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/
Yara Rules
[TLP:WHITE] win_netwire_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_netwire_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 88460c 8b4314 c1e808 88460d }
            // n = 4, score = 6000
            //   88460c               | mov                 byte ptr [esi + 0xc], al
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]
            //   c1e808               | shr                 eax, 8
            //   88460d               | mov                 byte ptr [esi + 0xd], al

        $sequence_1 = { 88460b 8b4314 88460c 8b4314 }
            // n = 4, score = 6000
            //   88460b               | mov                 byte ptr [esi + 0xb], al
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]
            //   88460c               | mov                 byte ptr [esi + 0xc], al
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]

        $sequence_2 = { 88460d 0fb74316 88460e 0fb64317 }
            // n = 4, score = 6000
            //   88460d               | mov                 byte ptr [esi + 0xd], al
            //   0fb74316             | movzx               eax, word ptr [ebx + 0x16]
            //   88460e               | mov                 byte ptr [esi + 0xe], al
            //   0fb64317             | movzx               eax, byte ptr [ebx + 0x17]

        $sequence_3 = { c744240c00000000 c744240800000000 c744240400000000 c7042410000000 }
            // n = 4, score = 6000
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   c7042410000000       | mov                 dword ptr [esp], 0x10

        $sequence_4 = { 8b911c020000 89442410 89542414 0fb68128020000 }
            // n = 4, score = 6000
            //   8b911c020000         | mov                 edx, dword ptr [ecx + 0x21c]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   0fb68128020000       | movzx               eax, byte ptr [ecx + 0x228]

        $sequence_5 = { 0fb74316 88460e 0fb64317 88460f }
            // n = 4, score = 6000
            //   0fb74316             | movzx               eax, word ptr [ebx + 0x16]
            //   88460e               | mov                 byte ptr [esi + 0xe], al
            //   0fb64317             | movzx               eax, byte ptr [ebx + 0x17]
            //   88460f               | mov                 byte ptr [esi + 0xf], al

        $sequence_6 = { 7412 83fa03 7421 4a }
            // n = 4, score = 6000
            //   7412                 | je                  0x40da44
            //   83fa03               | cmp                 edx, 3
            //   7421                 | je                  0x40da58
            //   4a                   | dec                 edx

        $sequence_7 = { 884602 0fb6430b 884603 8b430c }
            // n = 4, score = 6000
            //   884602               | mov                 byte ptr [esi + 2], al
            //   0fb6430b             | movzx               eax, byte ptr [ebx + 0xb]
            //   884603               | mov                 byte ptr [esi + 3], al
            //   8b430c               | mov                 eax, dword ptr [ebx + 0xc]

        $sequence_8 = { c7430c00000000 c7431000000000 c7431400000000 c70300000000 }
            // n = 4, score = 6000
            //   c7430c00000000       | mov                 dword ptr [ebx + 0xc], 0
            //   c7431000000000       | mov                 dword ptr [ebx + 0x10], 0
            //   c7431400000000       | mov                 dword ptr [ebx + 0x14], 0
            //   c70300000000         | mov                 dword ptr [ebx], 0

        $sequence_9 = { 8974240c c744240801000000 c744240407000000 891c24 }
            // n = 4, score = 6000
            //   8974240c             | mov                 dword ptr [esp + 0xc], esi
            //   c744240801000000     | mov                 dword ptr [esp + 8], 1
            //   c744240407000000     | mov                 dword ptr [esp + 4], 7
            //   891c24               | mov                 dword ptr [esp], ebx

    condition:
        7 of them
}
[TLP:WHITE] win_netwire_w0   (20170517 | NetWiredRC)
rule win_netwire_w0 {
	meta:
		description = "NetWiredRC"
		author = "Jean-Philippe Teissier / @Jipe_"
		date = "2014-12-23"
		filetype = "memory"
		version = "1.1" 
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
	strings:
		$mutex = "LmddnIkX"

		$str1 = "%s.Identifier"
		$str2 = "%d:%I64u:%s%s;"
		$str3 = "%s%.2d-%.2d-%.4d"
		$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
		$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
		
		$klg1 = "[Backspace]"
		$klg2 = "[Enter]"
		$klg3 = "[Tab]"
		$klg4 = "[Arrow Left]"
		$klg5 = "[Arrow Up]"
		$klg6 = "[Arrow Right]"
		$klg7 = "[Arrow Down]"
		$klg8 = "[Home]"
		$klg9 = "[Page Up]"
		$klg10 = "[Page Down]"
		$klg11 = "[End]"
		$klg12 = "[Break]"
		$klg13 = "[Delete]"
		$klg14 = "[Insert]"
		$klg15 = "[Print Screen]"
		$klg16 = "[Scroll Lock]"
		$klg17 = "[Caps Lock]"
		$klg18 = "[Alt]"
		$klg19 = "[Esc]"
		$klg20 = "[Ctrl+%c]"

	condition: 
		$mutex or (1 of ($str*) and 1 of ($klg*))
}
[TLP:WHITE] win_netwire_w1   (20170517 | No description)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_netwire_w1 {
	meta:
		author = " Kevin Breen <kevin@techanarchy.net>"
		date = "2014/04"
		ref = "http://malwareconfig.com/stats/NetWire"
		maltype = "Remote Access Trojan"
		filetype = "exe"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
    strings:
        $string1 = "[Scroll Lock]"
        $string2 = "[Shift Lock]"
        $string3 = "200 OK"
        $string4 = "%s.Identifier"
        $string5 = "sqlite3_column_text"
        $string6 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
    condition:
        all of them
}
Download all Yara Rules