Threat Intelligence

Peeling the Netwire Onion

Recently, the Fidelis Threat Research Team (TRT) acquired and began analyzing a sample of Netwire (MITRE ATT&CK ID S0198). Netwire is a commercially available, multiplatform, remote administration tool (RAT) that has been around since at least 2012 (1).

SHARE:

While it is publicly available, actors will attempt to hide the malware using obfuscation. The Netwire payload observed for this report was under five layers of obfuscation making it harder for antivirus software detection, and thus showing an intent by adversaries to evade defensive measures. There have been reports of cyber-criminal and nation-state sponsored adversaries using Netwire, including APT33 (G0064 (2)), The White Company (G0089 (2)), and SilverTerrier (G0083 (2)).

 

Key Judgments:

  • Netwire is a commercially available malware.
  • Threat actors utilize multiple layers of obfuscation to evade A/V detection.
  • TRT assesses with moderate confidence that Netwire will increase in popularity with both low-level and well-resourced actors, based primarily on its ease of access.

 

The Netwire sample discussed in this blog was delivered via a phishing campaign (Figure 1).

Figure 1 Phishing Email

 

The Malware

As stated above, this sample of the Netwire payload was hidden under fiver layers of obfuscation. It stores and starts with the obfuscated blob in the mutex (Figure 2).


Figure 2 Mutex

The first layer is a xor encoded blob that decodes to a second layer which is base 64 encoded blob (Figure 3).


Figure 3 XOR

The base64 decodes to a third layer which is a .net packer called Adderall Protector (Figure 4)


Figure 4 Base64

Adderall Protect injects a xor encoded payload (figure) into host.exe and starts process vbc.exe. So, if you are stepping through this, you will see the module “AuthenticationState” called before process vbc.exe is started (Figure 5). The PBD path was not stripped from the third layer “c:\Users\Administrator\AppData\Roaming\AdderallProtector\AuthenticationState.pdb” and as such we were able to identify it.


Figure 5 Modules

 

The injected code is the payload packed with .net packer called .NETGuard (version 4.5). The payload is Netwire and installs itself in %AppData%\Roaming\Install\Host.exe. Host.exe is actually command line visual basic compiler(vbc.exe) (Figure 6).

 


Figure 6 VBC

 

After all the .net obfuscation and packing, we get to the actual payload that is Netwire (Figure 7). Netwire is not .net and once you have the payload, you need to switch from using DNSpy to IDA pro for further analysis.


Figure 7 Netwire

Netwire will start by initializing global variables and window sockets by calling WAStratup (Figure 8).


Figure 8 WAStartup

If the file is not running from %AppData%\Instal\ as Host.exe, it will create the copy of itself there and run a child process from that location (Figure 9).


Figure 9 Install Folder

Next, the malware will de-obfuscate strings that it needs. Netwire contains a custom obfuscation to hide registry keys, APIs, DLL names, and other strings. Below is a python script to decode the strings manually (Figure 10). A python de-obfuscation script is included in the Appendix.


Figure 10 String Obfuscation

Netwire will go onto creating persistence by adding a registry key to start Host.exe at startup (Figure 11).


Figure 11 RegKey

The malware will call _begintheardex to start keylogging (Figure 12). Netwire also creates a “Logs” folder to store the collected data from the victim system. Additionally, it has the ability to delete itself and download a bat file to %temp% and run it.


Figure 12 Logging

It also creates a Host ID and logs the infection date and time (Figure 13).


Figure 13 Host ID

Encryption Usage:

Netwire uses RC4 encryption with a hard coded 16-byte key for its configuration data. The key is located at a specific offset in the binary. Once the key is read. It will start the RC4 decryption process. Figure 14 below illustrated the process of creating the Rc4 init sbox. Figure 15 illustrates the decryption process.


Figure 14 Rc4 init sbox


Figure 15 Decryption process

 

Networking:

Netwire uses AES to encrypt the command and control traffic. The initial packet will send a 32 byte value along with 16 byte IV value. The client uses the static password specified on its configuration data along with the 32 byte value seed to generate the AES key. The C2 server then generates the client session key, which is needed to generate the keys for communication, unfortunately the server was down at the time of analysis (Figure 16). However, after the C2 servers generates the keys, further communications send information about the victim system such as: current user, computer name, operating system version, current time, and victim IP.


Figure 16 PCAP

 

Conclusion

Based off current observations and analysis, Netwire is assessed to be a moderate threat. While it is being used by nation-state sponsored and cyber criminals, it’s not yet as widespread as Emotet or NanoCore. Due to its usage, it is also believed that the developers most likely keep up to date with bugs and capability improvements. Netwire’s growth in popularity over the last couple months, and its commercial availability, also leads TRT analysts to assess with moderate confidence that this malware will increase in popularity with both low-level and well-resourced actors.
As Netwire has been seen being delivered via phishing campaigns, it is recommended, as always, that email vigilance and proper security awareness be practiced in order to limit compromise by adversaries leveraging Netwire.

Appendix I

IOC
194.5.98.225 (Sub[.]thebest1jewels[.]waw[.]pl:3336)
185.217.1.158 (Sub[.]thebest1jewels[.]waw[.]pl:3336)
185.244.31.54 (Sub[.]thebest1jewels[.]waw[.]pl:3336)
95.142.123.15

Python Deobfuscation for strings
key = “_BqwHaF8TkKDMfOzQASx4VuXdZibUIeylJWhj0m5o2ErLt6vGRN9sY1n3Ppc7g-C”
obf_str = “MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56\%6″
#obfuscated string
Deofb_str = ”
for letter in obf_str:
index1 = key.find(letter) #give index number of each char that is in str obf_str
k_len = len(key) #find length
index1_plus_6 = [ndex1 + 6] #takes index number that index1 is currently at and adds 6
index = index1_plus_6[0] #stores what is currently at key plus 6(stores line 9)
if index > k_len: # do this if index out of range
out_of_range_val = int(index) & int(‘3f’, 16 ) #index out of range check
k_key = key[out_of_range_val]
Deofb_str += k_key
#print(Deofb_str.join(k_key))
else: # do this if index in range
if letter == ‘\\’: #skip \
Deofb_str += letter
else:
decoded = key[index1 + 6] #add 6 to index1 and show the letter
Deofb_str += decoded
print(Deofb_str)

Yara Signature

rule netwire

{

meta:
hash = “46e353d81fb7d21122eca30fd054d760”

strings:

$str1 = “NetWire” ascii wide nocase
$str2 = “SOFTWARE\\NetWire” ascii wide nocase
$str3 = “HostId” ascii wide nocase
$str4 = “Install Date” ascii wide nocase
$str5 = “@echo off” ascii wide nocase
$str6 = “ping 192.0.2.2 -n 1 -w %d >nul 2>&1” ascii wide nocase
$str7 = “DEL /s \”%s\” >nul 2>&1″ ascii wide
$str8 = “start /b \”\” cmd /c del \”%%~f0\”&exit /b” ascii wide
$str9 = “User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko” ascii wide nocase
$str10 = “GET %s HTTP/1.1” ascii wide
$str11 = “SeaMonkey” ascii wide nocase
$str12 = “encryptedUsername” ascii wide nocase
$str13 = “encryptedPassword” ascii wide nocase
$str14 = “Profiles\\Outlook” ascii wide nocase
$str15 = “Intelliforms\\storage2” ascii wide nocase

$fmtstr = “%c%.8x%s”
$fmtstr2 = “%s @ %s”
$fmtstr3 = “%s:%u”
$fmtstr4 = “%s:%d”
$fmtstr5 = “%s\\%s.bat”
$fmtstr6 = “[Log Started] – [%.2d/%.2d/%d %.2d:%.2d:%.2d]”
$fmtstr7 = “[%s] – [%.2d/%.2d/%d %.2d:%.2d:%.2d]”
$rc4_opcode = { C7 44 24 04 ?? ?? ?? ?? }
$rc4_opcode2 = {88 44 06 08 83 c? 01 3d 00 01 00 00 75 ?? } // cmp eax, 100h
$rc4_opcode3 = { 83 c? 01 81 F? 00 01 00 00 75 ??}

condition:
uint16(0) == 0x5a4d and 10 of ($str*) and 5 of ($fmtstr*) and any of ($rc4_opcode*)

Appendix II

Assessment Writing Styles and Meanings
Confidence is a judgment based on three factors:
1. Strength of knowledge base, to include the quality of the sources and our depth of understanding about the issue
2. Number and importance of assumptions used to fill information gaps
3. Strength of logic underpinning the argument, which encompasses the number and strength of analytic inferences as well as the rigor of the analytic methodology in the product

HIGH: Well-corroborated information from proven sources, minimal assumptions, and/or strong logical inferences
MODERATE: Partially corroborated information from good sources, several assumptions, and/or mixture of strong and weak inferences
LOW: Uncorroborated information from good or marginal sources, many assumptions, and/or mostly weak inferences

References
(n.d.). Retrieved from https://www.worldwiredlabs.com/clients/announcements/51/NetWire-v20-R1.html
(n.d.). Retrieved from https://attack.mitre.org/software/S0198/

Browse our blog