SecuritySecurityServicesThreat Alerts

Dissecting Netwire Remote Access Trojan (RAT) behavior on an infected endpoint

Netwire is a Remote Access Trojan (RAT) capable of stealing passwords, keylogging, and includes remote control capabilities. Netwire RAT has been used by advanced persistent threat groups (APT) in the past.

In a recent malspam campaign, Netwire RAT was delivered via an archived zip file containing a Visual Basis script. 

OpenText Security Consulting team, as part of their threat research, continuously monitors how malware behaves on the endpoint and creates alerting content for its MxDR and Managed Security Services customers.

Infection Chain

Upon execution of the malicious Visual Basic script associated with the Netwire RAT infection, the script contacts a compromised website and downloads an updated Visual Basic script. The script then calls the PowerShell process to execute a Base64 encoded script to create persistence, download additional payloads, inject code into the ieinstall process, and communicate with the Netwire RAT command and control (C2) host. 

PowerShell spawning the ieinstall process (Abnormal behavior) 
Shown above: PowerShell spawning the ieinstall process (Abnormal behavior) 
Svchost spawaning the ieinstal process on an uninfected host (Expected behavior)
Shown above: Svchost spawaning the ieinstal process on an uninfected host (Expected behavior)
Netwire RAT creating persistence in the registry Run key pointing to the AppDataLow registry key 
Shown above: Netwire RAT creating persistence in the registry Run key pointing to the AppDataLow registry key 
The AppDataLow registry key which runs a Base64 encoded PowerShell script used to execute the Netwire RAT encrypted binary 
Shown above: The AppDataLow registry key which runs a Base64 encoded PowerShell script used to execute the Netwire RAT encrypted binary 
Injected ieinstall process communicating with Netwire RAT C2 hosts over port 3360 
Shown above: Injected ieinstall process communicating with Netwire RAT C2 hosts over port 3360 
Explorer spawning PowerShell to interact with the registry key in the AppDataLow directory 
Shown above: Explorer spawning PowerShell to interact with the registry key in the AppDataLow directory 

Content used to alert on the Netwire RAT’s behavior

Using the Unicoder.io Sigma Rule generator to alert to Explorer spawning the PowerShell process containing the registry key ‘\software\appdatalow\’ within the commandline
Shown above: Using the Unicoder.io Sigma Rule generator to alert to Explorer spawning the PowerShell process containing the registry key ‘\software\appdatalow\’ within the commandline 
Using the Unicoder.io Sigma Rule generator to alert to PowerShell spawning the ieinstal process 
Shown above: Using the Unicoder.io Sigma Rule generator to alert to PowerShell spawning the ieinstal process 

Indicators of Compromise (IoC)

MD5 Hash: 831f8bcc9aacd0570d62355010455c79 – Hash associated with initial VB script used to download Netwire RAT 

MD5 Hash: 15727c74c194a1de647552d66006ecfe – Hash associated with secondary VB script used to download the Netwire RAT 

toshiba1122.ddns[.]net – Domain associated with the Netwire RAT C2 

194.5.98[.]59 port 3360 – IP address hosting Netwire RAT C2 

197.210.226[.]83 port 3360 – IP address hosting Netwire RAT C2 

197.210.226[.]190 port 3360 – IP address hosting Netwire RAT C2 


Author: Lenny Conway, Lead Consultant

Related Posts

Back to top button