Analysis of the NetWire RAT Campaign

Executive summary:

Threat actors continue to leverage the NetWire Remote Access Trojan (RAT) in malicious spam email attacks using low-detection scripts, URL shorteners, and the Discord content delivery network (CDN). 

The Infection chain begins with a targeted email from the t-online[.]de mail service. These contain an XLS file or ZIP archive that, if opened, triggers embedded VBScript and PowerShell scripts. The secondary stage leverages  URL shorteners in the PowerShell script that pull down a batch file from the attacker’s server or from the Discord CDN. If successfully executed the victim’s device is infected with NetWire RAT and a connection is made to the command and control (C&C) server. Post-exploitative activities can then be initiated from here.

NetWire RAT is a widely used off-the-shelf malware used by cybercriminals groups and Business Email Compromise (BEC) scammers. This includes features such as stealing credentials, recording audio, screen capture, and keystroke logging, among others. Organisations targeted in this campaign were from the aviation, electrical engineering, and maritime sector around Europe and the US.

Example malicious emails delivering NetWire RAT:

Email targeting Aviation Sector:

HELO: mailout03.t-online.de

Sending IP: 194.25.134.81

From: Avinode <martin.staedler@t-online.de>

Reply-To: Avinode <martin.staedler@t-online.de>

Subject: New Avinode Plans and Prices 2021

Attachment: New Avinode Plans and Prices 2021.xls

Email targeting the Electrical Engineering Sector:

HELO: mailout07.t-online.de

Sending IP: 194.25.134.83

From: AEG Billing <rueckrieme@t-online.de>

Reply-To: rueckrieme@t-online.de <rueckrieme@t-online.de>

Subject: AEG – Invoice: 780453

Attachment: AEG-1805-INV-780453.xls

Email targeting the Maritime Sector:

HELO: mailout01.t-online.de

Sending IP: 194.25.134.80

From: Yachtworld <SteffenJohn@t-online.de>

Subject: Boats Group Invoice Notification – October 2020

Attachment: Invoice003421.zip (contains “Invoice003421.xls”)

Malicious XLS and ZIP files:

NetWire process chain:

PowerShell scripts:

Campaign infrastructure:

https://www.virustotal.com/graph/embed/g624478f34ef04d35915fa129afc0c314c68548071a03489a975264414b85987d

Payload host server:

Low detection ratings:

Analysis:

Although the tactics, techniques, and procedures (TTPs) leveraged in this campaign are common, these continue to be effective to orchestrate information exfiltration attacks and Business Emial Compromise (BEC). Analysis of the C&C infrastructure in this campaign uncovered that multiple Nigerian ASNs were used to support communication such as TIZETI-AS, Celtel Nigeria Limited t.a. ZAIN, and MTN NIGERIA Communication limited.

URL shorteners have been abused for years and should often be met with caution. However, security defenders should also evaluate whether it is essential to permit access to the Discord CDN (cdn.discordapp.com) as it is often used to host malicious payloads. My previous blog on other malware families leveraging Discord is available here.

NetWire RAT has been analysed in-depth by several security companies, including CERT Luxembourg and Fortinet who have shown that it exhibits classic spyware features such as stealing credentials, audio recordings, logging keystrokes and more. [1, 2]

Types of threat actors that deploy NetWire RAT:

  • Aggah campaign mimicking DHL, the German courier (linked to the GorgonGroup). [3]
  • RATicate distributed NetWire alongside multiple other RATs and infostealers. [4]
  • Often dropped by the GuLoader. [5]
  • T-Mobile themed phishing page that also delivered NetWire RAT. [6]
  • NetWire and another JavaScript RAT pushed in phishing emails that pose as members of a central bank from an unspecified Asian country. [7]
  • NetWire and others used by TMT for Business Email Compromise (BEC) campaigns. [8] 
  • Industrial espionage campaign against Italian manufacturers. [9]

Indicators of Compromise (IOCs):

NetWire RAT:

New Avinode Plans and Prices 2021.xls – f4e43143060e196496985875d896eb93

AEG-1805-INV-780453.xls – 1f849a7cf8dd228d0adc960e95c074a5

Invoice003421.zip – 6a6b71518721a383cef34b98b9e72a89

Invoice003421.xls – fc02baa98df82e4566aaa51d3cd96aa7

Host.exe / go.exe – 5b2b28f9f863e885d1e5244f86611afb

NetWire RAT C2s:

kingshakes[.]linkpc[.]net (79.134.225.52)

kingshakes[.]linkpc[.]net (181.215.247.156)

kingshakes[.]linkpc[.]net (194.5.98.215)

37.46.150.139

193.239.147.76

NetWire RAT payload URLs:

hxxp://37.46.150[.]139/bat/scriptxls_3357e6d8-1780-4654-872a-eca3aa375ffd_kingshakes_wdexclusion.bat

hxxp://193.239.147[.]76/bat/scriptxls_3d65fd14-73d7-4649-9536-dcd84e6bfa52_kingshakes_wdexclusion.bat

hxxps://cdn[.]discordapp[.]com/attachments/783937641132982302/785739537422614528/Host.exe

hxxps://cdn[.]discordapp[.]com/attachments/765983959737565245/774193506997764106/GOOD.exe

Additional IOCs have been provided. [10]

References:

https://otx.alienvault.com/pulse/5ff8e9e6ddc7728460584f61

http://www.circl.lu/pub/tr-23/

https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html

https://www.gdatasoftware.com/blog/netwire-rat-via-pasteee-and-ms-excel

https://news.sophos.com/en-us/2020/05/14/raticate/

https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services

https://twitter.com/malwrhunterteam/status/1293916383491710979

https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese

https://www.interpol.int/en/News-and-Events/News/2020/Three-arrested-as-INTERPOL-Group-IB-and-the-Nigeria-Police-Force-disrupt-prolific-cybercrime-group

https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/