About Netwire RAT | Blackhattrick Blog

Hello Guys, While doing research I got valuable information about Netwire RAT.

I am gonna sharing it with you.

Note: Do Not Ask About the Setup because,

1. Most of the Hacker/Attacker bind it with Malware.

2. Almost all RAT Setup are detectable as Malware by All Anti-Virus.

Happy Hunting Guys :)

The Attack

This recent attack used a specially crafted Word document with an embedded malicious macro. An attacker might also use social-engineering tricks to lure victims into opening the malicious document.

Once the document is opened, the exploit downloads Netwire from Dropbox:

hxxp://www.dropbox.com/s/q*********/tcpview.exe?dl=1

Once executed, the malware tcpview.exe copies itself to the AppData folder. By using trusted storage sites such as Dropbox the malware can sometimes avoid firewall and heuristic detection.

Netwire

Netwire is a multiplatform remote administration tool (RAT) widely used by cybercriminals since 2012. Netwire provides attackers with various functions to remotely control infected machines.

Lately, McAfee Labs has seen a spike in the number of attacks employing Netwire. In a recent case, Netwire was used in a targeted attack involving banking and healthcare sectors.

 Netwire is a sophisticated RAT with various remote-control functions, including:

·         Collecting system information

·         File manager

·         System manager

·         Keylogging and screen capture

The following screen capture shows Netwire’s host-monitoring tool:

The file tcpview.exe is obfuscated with a custom cryptor. The malware also creates a start-up entry in the registry for persistence.

The Netwire client tcpview.exe is signed by fake and invalid digital certificates.

The second stage of the attack involves a Netwire backdoor connecting to the following control servers:

·         davidluciano.mooo.com

·         jydonky.mooo.com

·         papybrown.mooo.com

Mooo.com is a dynamic DNS domain provider often favored by Netwire attackers. Currently all these domains point to the following IP addresses in the United States:

·         216.38.7.229

·         23.105.131.179

·         23.105.131.236

The malicious Word document is detected by McAfee Advanced Threat Defense with high severity.

Advanced Threat Defense also classifies the downloaded file as malicious.

Reference:

https://blogs.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks

For Your Knowledge:

All About Netwire

Your Good comments Encourages me to keep posting Nice Articles so keep Commenting & Sharing.