Analysis of the NetWire RAT campaign

-

 

Executive summary:

Threat actors continue to leverage the NetWire Remote Access Trojan (RAT) in malicious spam email attacks using low-detection scripts, URL shorteners, and the Discord content delivery network (CDN). 

The Infection chain begins with a targeted email from the t-online[.]de mail service. These contain an XLS file or ZIP archive that, if opened, triggers embedded VBScript and PowerShell scripts. The secondary stage leverages  URL shorteners in the PowerShell script that pull down a batch file from the attacker’s server or from the Discord CDN. If successfully executed the victim’s device is infected with NetWire RAT and a connection is made to the command and control (C&C) server. Post-exploitative activities can then be initiated from here.

NetWire RAT is a widely used off-the-shelf malware used by cybercriminals groups and Business Email Compromise (BEC) scammers. This includes features such as stealing credentials, recording audio, screen capture, and keystroke logging, among others. Organisations targeted in this campaign were from the aviation, electrical engineering, and maritime sector around Europe and the US.

Example malicious emails delivering NetWire RAT:

Email targeting Aviation Sector:

HELO: mailout03.t-online.de

Sending IP: 194.25.134.81

From: Avinode <martin.staedler@t-online.de>

Reply-To: Avinode <martin.staedler@t-online.de>

Subject: New Avinode Plans and Prices 2021

Attachment: New Avinode Plans and Prices 2021.xls

Email targeting the Electrical Engineering Sector:

HELO: mailout07.t-online.de

Sending IP: 194.25.134.83

From: AEG Billing <rueckrieme@t-online.de>

Reply-To: rueckrieme@t-online.de <rueckrieme@t-online.de>

Subject: AEG - Invoice: 780453

Attachment: AEG-1805-INV-780453.xls

Email targeting the Maritime Sector:

HELO: mailout01.t-online.de

Sending IP: 194.25.134.80

From: Yachtworld <SteffenJohn@t-online.de>

Subject: Boats Group Invoice Notification - October 2020

Attachment: Invoice003421.zip (contains "Invoice003421.xls")


Malicious XLS and ZIP files:


NetWire process chain:

PowerShell scripts:

Campaign infrastructure:


Payload host server:

Low detection ratings:

Analysis:

Although the tactics, techniques, and procedures (TTPs) leveraged in this campaign are common, these continue to be effective to orchestrate information exfiltration attacks and Business Emial Compromise (BEC). Analysis of the C&C infrastructure in this campaign uncovered that multiple Nigerian ASNs were used to support communication such as TIZETI-AS, Celtel Nigeria Limited t.a. ZAIN, and MTN NIGERIA Communication limited.

URL shorteners have been abused for years and should often be met with caution. However, security defenders should also evaluate whether it is essential to permit access to the Discord CDN (cdn.discordapp.com) as it is often used to host malicious payloads. My previous blog on other malware families leveraging Discord is available here.

NetWire RAT has been analysed in-depth by several security companies, including CERT Luxembourg and Fortinet who have shown that it exhibits classic spyware features such as stealing credentials, audio recordings, logging keystrokes and more. [1, 2]

Types of threat actors that deploy NetWire RAT:

  • Aggah campaign mimicking DHL, the German courier (linked to the GorgonGroup). [3]
  • RATicate distributed NetWire alongside multiple other RATs and infostealers. [4]
  • Often dropped by the GuLoader. [5]
  • T-Mobile themed phishing page that also delivered NetWire RAT. [6]
  • NetWire and another JavaScript RAT pushed in phishing emails that pose as members of a central bank from an unspecified Asian country. [7]
  • NetWire and others used by TMT for Business Email Compromise (BEC) campaigns. [8] 
  • Industrial espionage campaign against Italian manufacturers. [9]

Indicators of Compromise (IOCs):


NetWire RAT:

New Avinode Plans and Prices 2021.xls - f4e43143060e196496985875d896eb93

AEG-1805-INV-780453.xls - 1f849a7cf8dd228d0adc960e95c074a5

Invoice003421.zip - 6a6b71518721a383cef34b98b9e72a89

Invoice003421.xls - fc02baa98df82e4566aaa51d3cd96aa7

Host.exe / go.exe - 5b2b28f9f863e885d1e5244f86611afb


NetWire RAT C2s:

kingshakes[.]linkpc[.]net (79.134.225.52)

kingshakes[.]linkpc[.]net (181.215.247.156)

kingshakes[.]linkpc[.]net (194.5.98.215)

37.46.150.139

193.239.147.76


NetWire RAT payload URLs:

hxxp://37.46.150[.]139/bat/scriptxls_3357e6d8-1780-4654-872a-eca3aa375ffd_kingshakes_wdexclusion.bat

hxxp://193.239.147[.]76/bat/scriptxls_3d65fd14-73d7-4649-9536-dcd84e6bfa52_kingshakes_wdexclusion.bat

hxxps://cdn[.]discordapp[.]com/attachments/783937641132982302/785739537422614528/Host.exe

hxxps://cdn[.]discordapp[.]com/attachments/765983959737565245/774193506997764106/GOOD.exe


Additional IOCs have been provided. [10]

References:

  1. http://www.circl.lu/pub/tr-23/
  2. https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html
  3. https://www.gdatasoftware.com/blog/netwire-rat-via-pasteee-and-ms-excel
  4. https://news.sophos.com/en-us/2020/05/14/raticate/
  5. https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services
  6. https://twitter.com/malwrhunterteam/status/1293916383491710979
  7. https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese
  8. https://www.interpol.int/en/News-and-Events/News/2020/Three-arrested-as-INTERPOL-Group-IB-and-the-Nigeria-Police-Force-disrupt-prolific-cybercrime-group
  9. https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/
  10. https://otx.alienvault.com/pulse/5ff8e9e6ddc7728460584f61

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more