NETWIRE RAT TECHNICAL ANALYSIS REPORT
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of NETWIRE RAT TECHNICAL ANALYSIS REPORT
CONTENTS
Information about the file paths, registry records, logs and all indicators of NetWire
malware type of Remote Access Trojan has been analyzed and reported in detail.
Introduction .................................................................................1
Preview .......................................................................................1
Host.exe File Analysis ................................................................5
Host.exe Behavior Analysis ........................................................6
Network Analysis ........................................................................8
Solution Proposals .....................................................................9
YARA Rule ...............................................................................10
Introduction RAT type NetWire malware is a remote access tool written by Iranian APT33 group. Its
first derivatives appeared in 2012. By combining its general progress with Word macros,
mail phishing and legal applications, it infects target systems and exploits the system.
Various malicious processes can be performed on exploited systems. For example;
• Keylogger
• Remote Control
• Access data on various browsers
• Access sensitive data in Outlook
• Accessing data on the Clipboard
The derivatives of the NetWire malware produced since 2012 are on sale in the underground hacking communities and darknet forums between $ 40 and $ 140 as a Remote Administration Tool. In the examination made, this type of malware is generally used as a bank, etc. systems have been revealed to be targeted. It can attack many systems like Windows, Linux, MacOS. With the latest update, it has attracted much attention to carry out attacks on POS devices.
Preview The NetWire malware in this version was revealed on 13.05.2020. It has continued to
spread by combining with a legal accounting application and mail phishing methods. The
first name of the malicious file is named as “RFQ List 13052020”. The extension of the
malware is .scr and it is transmitted to the system with this extension. As its name
suggests, it targeted the accounting department of banks and companies. “RFQ” in the
filename means a request for quotation and the numbers at the end indicate the date. For
example: “13.05.2020”.
The malware compiled with Borland Delphi 7 is combined with a legal accounting
application using Turbo Linker (2.25 Delphi).
First of all, it appears as a screen saver with a .scr extension, which is harmful for you not
to doubt. When this .scr file is run, it goes through its own different controls, except for the
anti-debug methods commonly used. Some of the techniques he uses are:
File Name
RFQ List 13052020.src
MD5 72DD0F3D54F711E8F3C83A2F1B7CE6DC
SHA1 4022218FC6956E0BF458E3DA091733D9676D738A
SHA256
56CDF2F0ADFFCC195D95801F4F61DA727EDF5E6FE6BBBF0AC71462F733DF9DE9
1
• Keyword scanning indicating the analysis environment on the file
path o Malware
o Sample
o Sandbox
It compares the keywords with the file path. If contains one of these words, it understands
that it is in the environment of analysis.
2
• Scanning of certain keywords between running processes
o Bdwtxag.exe
o Avgsvc.exe
o Avgui.exe
o Bdagent.exe
o Avastsvc.exe
o Dwengine.exe
o Nissrv.exe
o Procmon.exe
o Ollydbg.exe
o Procmon64.exe
o Procexp64.exe
o Windbg.exe
o Avp.exe
It scans with keywords containing the names of anti-virus programs and analysis tools.
If anti-debug methods are triggered in certain locations, it opens a different legal
application to complicate analysis. This application seems to be an accounting application
with a small agenda for viewing a simple file.
3
After doing this keyword scanning, if it is not in the analysis environment, it copies itself
into APPDATA as Host.exe and adds itself to startup. After that, it runs the processes
through this Host.exe, if it detects that it is in analysis environment, it terminates itself
without any activity on the system.
Only purpose of RFQ List 13052020.src file determines whether or not in the analysis
environment with anti-debug techniques. Also, it copies itself into APPDATA as Host.exe
and adds itself to startup. After that, it runs the processes through this Host.exe.
The NetWire pest of RAT type copies itself to AppData / Roaming / Install as Host.exe.
It also adds itself to the beginning of the system in the registry to ensure continuity in the
system.
4
Host.exe File Analysis
When Host.exe copied on APPDATA is examined, it can be determined that it is the same
as the file named RFQ List 13052020.src. It copies itself to the APPDATA directory not
exactly as a different file, but exactly the same. Although it looks like the same file, it works
differently from the RFQ List 13052020.src file. The reason for this is controlling its file
path and name, and this file name is Host.exe and the file path is running in different
commands in APPDATA. It works with different parameters for different processes.
When malware continues to run, it takes 4 different processes and 2 different parameters.
Due to these parameters, the same file has different functions.
If it is not in the APPDATA directory and the file name is not Host.exe, it starts itself with
the -m parameter and performs harmful activities such as logging and establishing a
connection. If the malicious application is on the APPDATA directory and the file name is
Host.exe, it performs these operations without parameters.
When it works with the other parameter, it ensures that the application that performs
harmful processes does not close. If it has run directly with the -m parameter or via
APPDATA and the program has stopped running, it is restarted.
File Name
Host.exe
MD5 72DD0F3D54F711E8F3C83A2F1B7CE6DC
SHA1 4022218FC6956E0BF458E3DA091733D9676D738A
SHA256
56CDF2F0ADFFCC195D95801F4F61DA727EDF5E6FE6BBBF0AC71462F733DF9DE9
5
Host.exe Behavior Analysis
When the malware named Host.exe running on APPDATA is run properly, it performs
various harmful processes through functions and APIs. There are two basic functions
between these processes.
The first function performs the process of keeping the LOG by creating an encrypted file
of the information obtained on the system.
The log file is kept as "AppData / Roaming / Logs / {DATE}". Sensitive data such as
keyboard keystrokes and copied data are kept encrypted in the log file.
The second main function is to connect this sensitive malware with the C&C and assume
the duty of leaking important sensitive data.
6
In addition, apart from these two main functions, the malware performs the following
harmful operations;
• Scanning within the Windows registry,
• Scanning for monitors in the system,
• Run another executable,
• Running any commands on the system,
• Scanning between directories and files on the system,
• Obtaining User Mail information,
• Obtaining user's sensitive data in the browser.
By reading the registry, the user can obtain sensitive data on Outlook. In the same way,
Shell Folders obtains the information of the root directories in the system kept by means
of the registry.
7
The user data stored in various browsers also leaks sensitive data such as browser history
to C&C servers.
Malware also creates a mutex object named "VLlPKtXt" on the system.
Network Analysis
The NetWire malware of RAT type constantly sends a connection request to the 1591 port
to the IP address 194 [.] 5.97 [.] 76, which is the C&C server. However, since the port is
closed, the RST flag always returns from the C&C server.
8
Solution Proposals
- Use of up-to-date, reliable antivirus software in systems, - Careful reading of incoming mails does not open without scanning the
attachments in it, - Spam mails were ignored, - paying attention to phishing sites while browsing the internet, - Installing the latest updates available in the operating system, - Monitoring the processes and network movements performed by the running
processes on the system - Filtering IP addresses, domains and addresses of C&C servers that establish
harmful connections on the network
These solutions can prevent the Netwire pest of Trojan Rat from infecting and damaging
the system.
9
YARA Rule
import "hash"
rule NetWire: RAT
{
meta:
description = "Netwire Banking Trojan"
version = "NetWire v2.1 R5"
first_date = "13.05.2020"
report_date = "08.03.2020"
file_name = "Host.exe"
strings:
$s1 = "P.rsrc" fullword
$s2 = "P.reloc" fullword
$s3 = "WWWWWWW$.c" fullword
$s4 = ".db2" fullword
$s5 = "3XE4PMyW7kL2Pql3uCjp08vI8TUiLn3TInCLUEnixJNRsbhpjQCO" fullword
$s6 = "Host is down." fullword
$s7 = "No route to host." fullword
$s8 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" fullword
$s9 = "rfDesktop" fullword
$s10="SOFTWARE\\Borland\\Delphi\\RTL" fullword
$s11="Software\\Borland\\Delphi\\Locales" fullword
$12="Software\\Borland\\Locales" fullword
condition:
hash.md5(0,filesize) == "72dd0f3d54f711e8f3c83a2f1b7ce6dc" or all of them
}
10