win.netwire (Back to overview)

NetWire RC

aka: NetWire, Recam

Actor(s): APT33

URLhaus      

Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.

Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:

for i in range(0,num_read):
buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF

References
2019-09-12 ⋅ AvastAdolf Středa, Luigino Camastra
@online{steda:20190912:tangle:204c26f, author = {Adolf Středa and Luigino Camastra}, title = {{The tangle of WiryJMPer’s obfuscation}}, date = {2019-09-12}, organization = {Avast}, url = {https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/}, language = {English}, urldate = {2020-01-13} } The tangle of WiryJMPer’s obfuscation
NetWire RC
2019-05-08 ⋅ Dr.WebDr.Web
@online{drweb:20190508:new:06a3aa5, author = {Dr.Web}, title = {{A new threat for macOS spreads as WhatsApp}}, date = {2019-05-08}, organization = {Dr.Web}, url = {https://news.drweb.ru/show/?i=13281&c=23}, language = {English}, urldate = {2020-01-08} } A new threat for macOS spreads as WhatsApp
NetWire RC
2019-01-30 ⋅ Samip Pokharel
@online{pokharel:20190130:analysis:df83b7e, author = {Samip Pokharel}, title = {{Analysis of NetWiredRC trojan}}, date = {2019-01-30}, url = {https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/}, language = {English}, urldate = {2020-01-13} } Analysis of NetWiredRC trojan
NetWire RC
2017-12-06 ⋅ CiscoHolger Unterbrink, Christopher Marczewski
@online{unterbrink:20171206:recam:2790363, author = {Holger Unterbrink and Christopher Marczewski}, title = {{Recam Redux - DeConfusing ConfuserEx}}, date = {2017-12-06}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html}, language = {English}, urldate = {2019-12-06} } Recam Redux - DeConfusing ConfuserEx
NetWire RC
2017-09-20 ⋅ FireEyeJacqueline O’Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser
@online{oleary:20170920:insights:27e8253, author = {Jacqueline O’Leary and Josiah Kimble and Kelli Vanderlee and Nalani Fraser}, title = {{Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware}}, date = {2017-09-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html}, language = {English}, urldate = {2019-12-20} } Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware
DROPSHOT Nanocore RAT NetWire RC SHAPESHIFT TURNEDUP APT33
2016-11-28 ⋅ SecureworksIncident Reponse Team
@online{team:20161128:netwire:b81c423, author = {Incident Reponse Team}, title = {{NetWire RAT Steals Payment Card Data}}, date = {2016-11-28}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data}, language = {English}, urldate = {2019-12-18} } NetWire RAT Steals Payment Card Data
NetWire RC
2014-11-26 ⋅ CIRCLCIRCL
@online{circl:20141126:tr23:fb5d867, author = {CIRCL}, title = {{TR-23 Analysis - NetWiredRC malware}}, date = {2014-11-26}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-23/}, language = {English}, urldate = {2020-01-09} } TR-23 Analysis - NetWiredRC malware
NetWire RC
2014-08-04 ⋅ Palo Alto Networks Unit 42Phil Da Silva, Rob Downs, Ryan Olson
@online{silva:20140804:new:826d436, author = {Phil Da Silva and Rob Downs and Ryan Olson}, title = {{New Release: Decrypting NetWire C2 Traffic}}, date = {2014-08-04}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/}, language = {English}, urldate = {2019-12-20} } New Release: Decrypting NetWire C2 Traffic
NetWire RC
Yara Rules
[TLP:WHITE] win_netwire_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_netwire_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { c744242400000000 c7442420fdffffff c744241c00000000 c744241800000000 c744241400000000 c744241000000000 }
            // n = 6, score = 700
            //   c744242400000000     | mov                 dword ptr [esp + 0x24], 0
            //   c7442420fdffffff     | mov                 dword ptr [esp + 0x20], 0xfffffffd
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0

        $sequence_1 = { c744240800000000 c744240410000000 890424 e8???????? }
            // n = 4, score = 700
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240410000000     | mov                 dword ptr [esp + 4], 0x10
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_2 = { e8???????? c7042446000000 e8???????? c7042449000000 e8???????? c7042446000000 }
            // n = 6, score = 700
            //   e8????????           |                     
            //   c7042446000000       | mov                 dword ptr [esp], 0x46
            //   e8????????           |                     
            //   c7042449000000       | mov                 dword ptr [esp], 0x49
            //   e8????????           |                     
            //   c7042446000000       | mov                 dword ptr [esp], 0x46

        $sequence_3 = { e8???????? c70424d0070000 e8???????? e9???????? }
            // n = 4, score = 700
            //   e8????????           |                     
            //   c70424d0070000       | mov                 dword ptr [esp], 0x7d0
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_4 = { 750f c705???????????????? e9???????? c705???????????????? e9???????? }
            // n = 5, score = 700
            //   750f                 | jne                 0x11
            //   c705????????????????     |     
            //   e9????????           |                     
            //   c705????????????????     |     
            //   e9????????           |                     

        $sequence_5 = { 0504020000 890424 e8???????? e9???????? }
            // n = 4, score = 700
            //   0504020000           | add                 eax, 0x204
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_6 = { e8???????? c7042446000000 e8???????? c7042400000000 e8???????? }
            // n = 5, score = 700
            //   e8????????           |                     
            //   c7042446000000       | mov                 dword ptr [esp], 0x46
            //   e8????????           |                     
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   e8????????           |                     

        $sequence_7 = { c744240400000000 c7042410000000 e8???????? 83ec14 }
            // n = 4, score = 700
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   c7042410000000       | mov                 dword ptr [esp], 0x10
            //   e8????????           |                     
            //   83ec14               | sub                 esp, 0x14

        $sequence_8 = { e8???????? eb11 c7042496000000 e8???????? }
            // n = 4, score = 700
            //   e8????????           |                     
            //   eb11                 | jmp                 0x13
            //   c7042496000000       | mov                 dword ptr [esp], 0x96
            //   e8????????           |                     

        $sequence_9 = { e8???????? e8???????? e8???????? e8???????? c7042400000000 e8???????? }
            // n = 6, score = 700
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   e8????????           |                     

    condition:
        7 of them
}
[TLP:WHITE] win_netwire_w0   (20170517 | NetWiredRC)
rule win_netwire_w0 {
	meta:
		description = "NetWiredRC"
		author = "Jean-Philippe Teissier / @Jipe_"
		date = "2014-12-23"
		filetype = "memory"
		version = "1.1" 
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
	strings:
		$mutex = "LmddnIkX"

		$str1 = "%s.Identifier"
		$str2 = "%d:%I64u:%s%s;"
		$str3 = "%s%.2d-%.2d-%.4d"
		$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
		$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
		
		$klg1 = "[Backspace]"
		$klg2 = "[Enter]"
		$klg3 = "[Tab]"
		$klg4 = "[Arrow Left]"
		$klg5 = "[Arrow Up]"
		$klg6 = "[Arrow Right]"
		$klg7 = "[Arrow Down]"
		$klg8 = "[Home]"
		$klg9 = "[Page Up]"
		$klg10 = "[Page Down]"
		$klg11 = "[End]"
		$klg12 = "[Break]"
		$klg13 = "[Delete]"
		$klg14 = "[Insert]"
		$klg15 = "[Print Screen]"
		$klg16 = "[Scroll Lock]"
		$klg17 = "[Caps Lock]"
		$klg18 = "[Alt]"
		$klg19 = "[Esc]"
		$klg20 = "[Ctrl+%c]"

	condition: 
		$mutex or (1 of ($str*) and 1 of ($klg*))
}
[TLP:WHITE] win_netwire_w1   (20170517 | No description)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_netwire_w1 {
	meta:
		author = " Kevin Breen <kevin@techanarchy.net>"
		date = "2014/04"
		ref = "http://malwareconfig.com/stats/NetWire"
		maltype = "Remote Access Trojan"
		filetype = "exe"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
    strings:
        $string1 = "[Scroll Lock]"
        $string2 = "[Shift Lock]"
        $string3 = "200 OK"
        $string4 = "%s.Identifier"
        $string5 = "sqlite3_column_text"
        $string6 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
    condition:
        all of them
}
Download all Yara Rules