This blog post was written by Saravanan Mohankumar.
Netwire is a multiplatform remote administration tool (RAT) widely used by cybercriminals since 2012. Netwire provides attackers with various functions to remotely control infected machines.
Lately, McAfee Labs has seen a spike in the number of attacks employing Netwire. In a recent case, Netwire was used in a targeted attack involving banking and healthcare sectors.
This recent attack used a specially crafted Word document with an embedded malicious macro. An attacker might also use social-engineering tricks to lure victims into opening the malicious document.
Once the document is opened, the exploit downloads Netwire from Dropbox:
Once executed, the malware tcpview.exe copies itself to the AppData folder. By using trusted storage sites such as Dropbox the malware can sometimes avoid firewall and heuristic detection.
Netwire is a sophisticated RAT with various remote-control functions, including:
- Collecting system information
- File manager
- System manager
- Keylogging and screen capture
The following screen capture shows Netwire’s host-monitoring tool:
The file tcpview.exe is obfuscated with a custom cryptor. The malware also creates a start-up entry in the registry for persistence.
The Netwire client tcpview.exe is signed by fake and invalid digital certificates.
The second stage of the attack involves a Netwire backdoor connecting to the following control servers:
Mooo.com is a dynamic DNS domain provider often favored by Netwire attackers. Currently all these domains point to the following IP addresses in the United States:
The malicious Word document is detected by McAfee Advanced Threat Defense with high severity.
Advanced Threat Defense also classifies the downloaded file as malicious.