Analysis of the NetWire RAT campaign
Executive summary:
Threat actors continue to leverage the NetWire Remote Access Trojan (RAT) in malicious spam email attacks using low-detection scripts, URL shorteners, and the Discord content delivery network (CDN).
The Infection chain begins with a targeted email from the t-online[.]de mail service. These contain an XLS file or ZIP archive that, if opened, triggers embedded VBScript and PowerShell scripts. The secondary stage leverages URL shorteners in the PowerShell script that pull down a batch file from the attacker’s server or from the Discord CDN. If successfully executed the victim’s device is infected with NetWire RAT and a connection is made to the command and control (C&C) server. Post-exploitative activities can then be initiated from here.
NetWire RAT is a widely used off-the-shelf malware used by cybercriminals groups and Business Email Compromise (BEC) scammers. This includes features such as stealing credentials, recording audio, screen capture, and keystroke logging, among others. Organisations targeted in this campaign were from the aviation, electrical engineering, and maritime sector around Europe and the US.
Example malicious emails delivering NetWire RAT:
Email targeting Aviation Sector:
HELO: mailout03.t-online.de
Sending IP: 194.25.134.81
From: Avinode <martin.staedler@t-online.de>
Reply-To: Avinode <martin.staedler@t-online.de>
Subject: New Avinode Plans and Prices 2021
Attachment: New Avinode Plans and Prices 2021.xls
Email targeting the Electrical Engineering Sector:
HELO: mailout07.t-online.de
Sending IP: 194.25.134.83
From: AEG Billing <rueckrieme@t-online.de>
Reply-To: rueckrieme@t-online.de <rueckrieme@t-online.de>
Subject: AEG - Invoice: 780453
Attachment: AEG-1805-INV-780453.xls
Email targeting the Maritime Sector:
HELO: mailout01.t-online.de
Sending IP: 194.25.134.80
From: Yachtworld <SteffenJohn@t-online.de>
Subject: Boats Group Invoice Notification - October 2020
Attachment: Invoice003421.zip (contains "Invoice003421.xls")
Malicious XLS and ZIP files:
Types of threat actors that deploy NetWire RAT:
- Aggah campaign mimicking DHL, the German courier (linked to the GorgonGroup). [3]
- RATicate distributed NetWire alongside multiple other RATs and infostealers. [4]
- Often dropped by the GuLoader. [5]
- T-Mobile themed phishing page that also delivered NetWire RAT. [6]
- NetWire and another JavaScript RAT pushed in phishing emails that pose as members of a central bank from an unspecified Asian country. [7]
- NetWire and others used by TMT for Business Email Compromise (BEC) campaigns. [8]
- Industrial espionage campaign against Italian manufacturers. [9]
Indicators of Compromise (IOCs):
NetWire RAT:
New Avinode Plans and Prices 2021.xls - f4e43143060e196496985875d896eb93
AEG-1805-INV-780453.xls - 1f849a7cf8dd228d0adc960e95c074a5
Invoice003421.zip - 6a6b71518721a383cef34b98b9e72a89
Invoice003421.xls - fc02baa98df82e4566aaa51d3cd96aa7
Host.exe / go.exe - 5b2b28f9f863e885d1e5244f86611afb
NetWire RAT C2s:
kingshakes[.]linkpc[.]net (79.134.225.52)
kingshakes[.]linkpc[.]net (181.215.247.156)
kingshakes[.]linkpc[.]net (194.5.98.215)
37.46.150.139
193.239.147.76
NetWire RAT payload URLs:
hxxp://37.46.150[.]139/bat/scriptxls_3357e6d8-1780-4654-872a-eca3aa375ffd_kingshakes_wdexclusion.bat
hxxp://193.239.147[.]76/bat/scriptxls_3d65fd14-73d7-4649-9536-dcd84e6bfa52_kingshakes_wdexclusion.bat
hxxps://cdn[.]discordapp[.]com/attachments/783937641132982302/785739537422614528/Host.exe
hxxps://cdn[.]discordapp[.]com/attachments/765983959737565245/774193506997764106/GOOD.exe
References:
- http://www.circl.lu/pub/tr-23/
- https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html
- https://www.gdatasoftware.com/blog/netwire-rat-via-pasteee-and-ms-excel
- https://news.sophos.com/en-us/2020/05/14/raticate/
- https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services
- https://twitter.com/malwrhunterteam/status/1293916383491710979
- https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese
- https://www.interpol.int/en/News-and-Events/News/2020/Three-arrested-as-INTERPOL-Group-IB-and-the-Nigeria-Police-Force-disrupt-prolific-cybercrime-group
- https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/
- https://otx.alienvault.com/pulse/5ff8e9e6ddc7728460584f61