Netwire is a Remote Access Trojan (RAT) capable of stealing passwords, keylogging, and includes remote control capabilities. Netwire RAT has been used by advanced persistent threat groups (APT) in the past.
In a recent malspam campaign, Netwire RAT was delivered via an archived zip file containing a Visual Basis script.
OpenText Security Consulting team, as part of their threat research, continuously monitors how malware behaves on the endpoint and creates alerting content for its MxDR and Managed Security Services customers.
Infection Chain
Upon execution of the malicious Visual Basic script associated with the Netwire RAT infection, the script contacts a compromised website and downloads an updated Visual Basic script. The script then calls the PowerShell process to execute a Base64 encoded script to create persistence, download additional payloads, inject code into the ieinstall process, and communicate with the Netwire RAT command and control (C2) host.
Content used to alert on the Netwire RAT’s behavior
Indicators of Compromise (IoC)
MD5 Hash: 831f8bcc9aacd0570d62355010455c79 – Hash associated with initial VB script used to download Netwire RAT
MD5 Hash: 15727c74c194a1de647552d66006ecfe – Hash associated with secondary VB script used to download the Netwire RAT
toshiba1122.ddns[.]net – Domain associated with the Netwire RAT C2
194.5.98[.]59 port 3360 – IP address hosting Netwire RAT C2
197.210.226[.]83 port 3360 – IP address hosting Netwire RAT C2
197.210.226[.]190 port 3360 – IP address hosting Netwire RAT C2
Author: Lenny Conway, Lead Consultant
