win.netwire (Back to overview)

NetWire RC

aka: Recam

Actor(s): APT33

URLhaus      

Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.

Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:

for i in range(0,num_read):
buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF

References
http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/
https://news.drweb.ru/show/?i=13281&c=23
https://www.circl.lu/pub/tr-23/
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html
https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data
https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/
Yara Rules
[TLP:WHITE] win_netwire_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_netwire_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { c7042449000000 e8???????? c7042446000000 e8???????? c7042400000000 }
            // n = 5, score = 900
            //   c7042449000000       | mov                 dword ptr [esp], 0x49
            //   e8????????           |                     
            //   c7042446000000       | mov                 dword ptr [esp], 0x46
            //   e8????????           |                     
            //   c7042400000000       | mov                 dword ptr [esp], 0

        $sequence_1 = { 84c0 0f8????????? c744240800000000 c744240401000000 c7042402000000 }
            // n = 5, score = 900
            //   84c0                 | test                al, al
            //   0f8?????????         |                     
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240401000000     | mov                 dword ptr [esp + 4], 1
            //   c7042402000000       | mov                 dword ptr [esp], 2

        $sequence_2 = { c7042410000000 e8???????? 84c0 74?? }
            // n = 4, score = 900
            //   c7042410000000       | mov                 dword ptr [esp], 0x10
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   74??                 |                     

        $sequence_3 = { a3???????? c7042440000000 e8???????? 84c0 74?? }
            // n = 5, score = 900
            //   a3????????           |                     
            //   c7042440000000       | mov                 dword ptr [esp], 0x40
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   74??                 |                     

        $sequence_4 = { 85c0 75?? c744240c00000000 c744240800000000 }
            // n = 4, score = 900
            //   85c0                 | test                eax, eax
            //   75??                 |                     
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0

        $sequence_5 = { c7042404000000 e8???????? 84c0 74?? a1???????? }
            // n = 5, score = 900
            //   c7042404000000       | mov                 dword ptr [esp], 4
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   74??                 |                     
            //   a1????????           |                     

        $sequence_6 = { 890424 e8???????? eb?? c7042400000000 e8???????? }
            // n = 5, score = 900
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   eb??                 |                     
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   e8????????           |                     

        $sequence_7 = { a2???????? e8???????? e8???????? e8???????? e8???????? }
            // n = 5, score = 900
            //   a2????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_8 = { c705???????????????? e9???????? c7042410020000 e8???????? }
            // n = 4, score = 900
            //   c705????????????????     |     
            //   e9????????           |                     
            //   c7042410020000       | mov                 dword ptr [esp], 0x210
            //   e8????????           |                     

        $sequence_9 = { c744240c00000000 c744240800000000 c744240400000000 c7042404000000 }
            // n = 4, score = 900
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   c7042404000000       | mov                 dword ptr [esp], 4

    condition:
        7 of them
}
[TLP:WHITE] win_netwire_w0   (20170517 | NetWiredRC)
rule win_netwire_w0 {
	meta:
		description = "NetWiredRC"
		author = "Jean-Philippe Teissier / @Jipe_"
		date = "2014-12-23"
		filetype = "memory"
		version = "1.1" 
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
	strings:
		$mutex = "LmddnIkX"

		$str1 = "%s.Identifier"
		$str2 = "%d:%I64u:%s%s;"
		$str3 = "%s%.2d-%.2d-%.4d"
		$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
		$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
		
		$klg1 = "[Backspace]"
		$klg2 = "[Enter]"
		$klg3 = "[Tab]"
		$klg4 = "[Arrow Left]"
		$klg5 = "[Arrow Up]"
		$klg6 = "[Arrow Right]"
		$klg7 = "[Arrow Down]"
		$klg8 = "[Home]"
		$klg9 = "[Page Up]"
		$klg10 = "[Page Down]"
		$klg11 = "[End]"
		$klg12 = "[Break]"
		$klg13 = "[Delete]"
		$klg14 = "[Insert]"
		$klg15 = "[Print Screen]"
		$klg16 = "[Scroll Lock]"
		$klg17 = "[Caps Lock]"
		$klg18 = "[Alt]"
		$klg19 = "[Esc]"
		$klg20 = "[Ctrl+%c]"

	condition: 
		$mutex or (1 of ($str*) and 1 of ($klg*))
}
[TLP:WHITE] win_netwire_w1   (20170517 | No description)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_netwire_w1 {
	meta:
		author = " Kevin Breen <kevin@techanarchy.net>"
		date = "2014/04"
		ref = "http://malwareconfig.com/stats/NetWire"
		maltype = "Remote Access Trojan"
		filetype = "exe"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
    strings:
        $string1 = "[Scroll Lock]"
        $string2 = "[Shift Lock]"
        $string3 = "200 OK"
        $string4 = "%s.Identifier"
        $string5 = "sqlite3_column_text"
        $string6 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
    condition:
        all of them
}
Download all Yara Rules