NETWIRE RAT TECHNICAL ANALYSIS

REPORT

CONTENTS

Information about the file paths, registry records, logs and all indicators of NetWire

malware type of Remote Access Trojan has been analyzed and reported in detail.

Introduction .................................................................................1

Preview .......................................................................................1

Host.exe File Analysis ................................................................5

Host.exe Behavior Analysis ........................................................6

Network Analysis ........................................................................8

Solution Proposals .....................................................................9

YARA Rule ...............................................................................10

Introduction RAT type NetWire malware is a remote access tool written by Iranian APT33 group. Its

first derivatives appeared in 2012. By combining its general progress with Word macros,

mail phishing and legal applications, it infects target systems and exploits the system.

Various malicious processes can be performed on exploited systems. For example;

• Keylogger

• Remote Control

• Access data on various browsers

• Access sensitive data in Outlook

• Accessing data on the Clipboard

The derivatives of the NetWire malware produced since 2012 are on sale in the underground hacking communities and darknet forums between $ 40 and $ 140 as a Remote Administration Tool. In the examination made, this type of malware is generally used as a bank, etc. systems have been revealed to be targeted. It can attack many systems like Windows, Linux, MacOS. With the latest update, it has attracted much attention to carry out attacks on POS devices.

Preview The NetWire malware in this version was revealed on 13.05.2020. It has continued to

spread by combining with a legal accounting application and mail phishing methods. The

first name of the malicious file is named as “RFQ List 13052020”. The extension of the

malware is .scr and it is transmitted to the system with this extension. As its name

suggests, it targeted the accounting department of banks and companies. “RFQ” in the

filename means a request for quotation and the numbers at the end indicate the date. For

example: “13.05.2020”.

The malware compiled with Borland Delphi 7 is combined with a legal accounting

application using Turbo Linker (2.25 Delphi).

First of all, it appears as a screen saver with a .scr extension, which is harmful for you not

to doubt. When this .scr file is run, it goes through its own different controls, except for the

anti-debug methods commonly used. Some of the techniques he uses are:

File Name

RFQ List 13052020.src

MD5 72DD0F3D54F711E8F3C83A2F1B7CE6DC

SHA1 4022218FC6956E0BF458E3DA091733D9676D738A

SHA256

56CDF2F0ADFFCC195D95801F4F61DA727EDF5E6FE6BBBF0AC71462F733DF9DE9

1

• Keyword scanning indicating the analysis environment on the file

path o Malware

o Sample

o Sandbox

It compares the keywords with the file path. If contains one of these words, it understands

that it is in the environment of analysis.

2

• Scanning of certain keywords between running processes

o Bdwtxag.exe

o Avgsvc.exe

o Avgui.exe

o Bdagent.exe

o Avastsvc.exe

o Dwengine.exe

o Nissrv.exe

o Procmon.exe

o Ollydbg.exe

o Procmon64.exe

o Procexp64.exe

o Windbg.exe

o Avp.exe

It scans with keywords containing the names of anti-virus programs and analysis tools.

If anti-debug methods are triggered in certain locations, it opens a different legal

application to complicate analysis. This application seems to be an accounting application

with a small agenda for viewing a simple file.

3

After doing this keyword scanning, if it is not in the analysis environment, it copies itself

into APPDATA as Host.exe and adds itself to startup. After that, it runs the processes

through this Host.exe, if it detects that it is in analysis environment, it terminates itself

without any activity on the system.

Only purpose of RFQ List 13052020.src file determines whether or not in the analysis

environment with anti-debug techniques. Also, it copies itself into APPDATA as Host.exe

and adds itself to startup. After that, it runs the processes through this Host.exe.

The NetWire pest of RAT type copies itself to AppData / Roaming / Install as Host.exe.

It also adds itself to the beginning of the system in the registry to ensure continuity in the

system.

4

Host.exe File Analysis

When Host.exe copied on APPDATA is examined, it can be determined that it is the same

as the file named RFQ List 13052020.src. It copies itself to the APPDATA directory not

exactly as a different file, but exactly the same. Although it looks like the same file, it works

differently from the RFQ List 13052020.src file. The reason for this is controlling its file

path and name, and this file name is Host.exe and the file path is running in different

commands in APPDATA. It works with different parameters for different processes.

When malware continues to run, it takes 4 different processes and 2 different parameters.

Due to these parameters, the same file has different functions.

If it is not in the APPDATA directory and the file name is not Host.exe, it starts itself with

the -m parameter and performs harmful activities such as logging and establishing a

connection. If the malicious application is on the APPDATA directory and the file name is

Host.exe, it performs these operations without parameters.

When it works with the other parameter, it ensures that the application that performs

harmful processes does not close. If it has run directly with the -m parameter or via

APPDATA and the program has stopped running, it is restarted.

File Name

Host.exe

MD5 72DD0F3D54F711E8F3C83A2F1B7CE6DC

SHA1 4022218FC6956E0BF458E3DA091733D9676D738A

SHA256

56CDF2F0ADFFCC195D95801F4F61DA727EDF5E6FE6BBBF0AC71462F733DF9DE9

5

Host.exe Behavior Analysis

When the malware named Host.exe running on APPDATA is run properly, it performs

various harmful processes through functions and APIs. There are two basic functions

between these processes.

The first function performs the process of keeping the LOG by creating an encrypted file

of the information obtained on the system.

The log file is kept as "AppData / Roaming / Logs / {DATE}". Sensitive data such as

keyboard keystrokes and copied data are kept encrypted in the log file.

The second main function is to connect this sensitive malware with the C&C and assume

the duty of leaking important sensitive data.

6

In addition, apart from these two main functions, the malware performs the following

harmful operations;

• Scanning within the Windows registry,

• Scanning for monitors in the system,

• Run another executable,

• Running any commands on the system,

• Scanning between directories and files on the system,

• Obtaining User Mail information,

• Obtaining user's sensitive data in the browser.

By reading the registry, the user can obtain sensitive data on Outlook. In the same way,

Shell Folders obtains the information of the root directories in the system kept by means

of the registry.

7

The user data stored in various browsers also leaks sensitive data such as browser history

to C&C servers.

Malware also creates a mutex object named "VLlPKtXt" on the system.

Network Analysis

The NetWire malware of RAT type constantly sends a connection request to the 1591 port

to the IP address 194 [.] 5.97 [.] 76, which is the C&C server. However, since the port is

closed, the RST flag always returns from the C&C server.

8

Solution Proposals

- Use of up-to-date, reliable antivirus software in systems, - Careful reading of incoming mails does not open without scanning the

attachments in it, - Spam mails were ignored, - paying attention to phishing sites while browsing the internet, - Installing the latest updates available in the operating system, - Monitoring the processes and network movements performed by the running

processes on the system - Filtering IP addresses, domains and addresses of C&C servers that establish

harmful connections on the network

These solutions can prevent the Netwire pest of Trojan Rat from infecting and damaging

the system.

9

YARA Rule

import "hash"

rule NetWire: RAT

{

meta:

description = "Netwire Banking Trojan"

version = "NetWire v2.1 R5"

first_date = "13.05.2020"

report_date = "08.03.2020"

file_name = "Host.exe"

strings:

$s1 = "P.rsrc" fullword

$s2 = "P.reloc" fullword

$s3 = "WWWWWWW$.c" fullword

$s4 = ".db2" fullword

$s5 = "3XE4PMyW7kL2Pql3uCjp08vI8TUiLn3TInCLUEnixJNRsbhpjQCO" fullword

$s6 = "Host is down." fullword

$s7 = "No route to host." fullword

$s8 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" fullword

$s9 = "rfDesktop" fullword

$s10="SOFTWARE\\Borland\\Delphi\\RTL" fullword

$s11="Software\\Borland\\Delphi\\Locales" fullword

$12="Software\\Borland\\Locales" fullword

condition:

hash.md5(0,filesize) == "72dd0f3d54f711e8f3c83a2f1b7ce6dc" or all of them

}

10