Netwire is a multiplatform remote administration tool (RAT) widely used by cybercriminals since 2012. Netwire provides attackers with various functions to remotely control infected machines.
Lately, McAfee Labs has seen a spike in the number of attacks employing Netwire. In a recent case, Netwire was used in a targeted attack involving banking and healthcare sectors.
The Attack
This recent attack used a specially crafted Word document with an embedded malicious macro. An attacker might also use social-engineering tricks to lure victims into opening the malicious document.
Once the document is opened, the exploit downloads Netwire from Dropbox:
hxxp://www.dropbox.com/s/q*********/tcpview.exe?dl=1
Once executed, the malware tcpview.exe copies itself to the AppData folder. By using trusted storage sites such as Dropbox the malware can sometimes avoid firewall and heuristic detection.
Netwire
Netwire is a sophisticated RAT with various remote-control functions, including:
- Collecting system information
- File manager
- System manager
- Keylogging and screen capture
The following screen capture shows Netwire’s host-monitoring tool:
The file tcpview.exe is obfuscated with a custom cryptor. The malware also creates a start-up entry in the registry for persistence.
The Netwire client tcpview.exe is signed by fake and invalid digital certificates.
The second stage of the attack involves a Netwire backdoor connecting to the following control servers:
- davidluciano.mooo.com
- jydonky.mooo.com
- papybrown.mooo.com
Mooo.com is a dynamic DNS domain provider often favored by Netwire attackers. Currently all these domains point to the following IP addresses in the United States:
- 216.38.7.229
- 23.105.131.179
- 23.105.131.236
The malicious Word document is detected by McAfee Advanced Threat Defense with high severity.
Advanced Threat Defense also classifies the downloaded file as malicious.
The post Netwire RAT Behind Recent Targeted Attacks appeared first on McAfee.