win.netwire (Back to overview)

NetWire RC

aka: Recam

Actor(s): APT33

URLhaus      

Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.

Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:

for i in range(0,num_read):
buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF

References
http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/
https://www.circl.lu/pub/tr-23/
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html
https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data
https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/