Netwire RAT Behind Recent Targeted Attacks

This blog post was written by Saravanan Mohankumar.

Netwire is a multiplatform remote administration tool (RAT) widely used by cybercriminals since 2012. Netwire provides attackers with various functions to remotely control infected machines.

Lately, McAfee Labs has seen a spike in the number of attacks employing Netwire. In a recent case, Netwire was used in a targeted attack involving banking and healthcare sectors.


The Attack
This recent attack used a specially crafted Word document with an embedded malicious macro. An attacker might also use social-engineering tricks to lure victims into opening the malicious document.

Once the document is opened, the exploit downloads Netwire from Dropbox:


Once executed, the malware tcpview.exe copies itself to the AppData folder. By using trusted storage sites such as Dropbox the malware can sometimes avoid firewall and heuristic detection.


Netwire is a sophisticated RAT with various remote-control functions, including:

  • Collecting system information
  • File manager
  • System manager
  • Keylogging and screen capture

The following screen capture shows Netwire’s host-monitoring tool:


The file tcpview.exe is obfuscated with a custom cryptor. The malware also creates a start-up entry in the registry for persistence.

The Netwire client tcpview.exe is signed by fake and invalid digital certificates.


The second stage of the attack involves a Netwire backdoor connecting to the following control servers:

  • is a dynamic DNS domain provider often favored by Netwire attackers. Currently all these domains point to the following IP addresses in the United States:


The malicious Word document is detected by McAfee Advanced Threat Defense with high severity.


Advanced Threat Defense also classifies the downloaded file as malicious.

Leave a Comment

12 − ten =