The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
October 16, 2019
Peeling the Netwire Onion
Recently, the Fidelis Threat Research Team (TRT) acquired and began analyzing a sample of Netwire (MITRE ATT&CK ID S0198). Netwire is a commercially available, multiplatform, remote administration tool (RAT) that has been around since at least 2012 (1).
While it is publicly available, actors will attempt to hide the malware using obfuscation. The Netwire payload observed for this report was under five layers of obfuscation making it harder for antivirus software detection, and thus showing an intent by adversaries to evade defensive measures. There have been reports of cyber-criminal and nation-state sponsored adversaries using Netwire, including APT33 (G0064 (2)), The White Company (G0089 (2)), and SilverTerrier (G0083 (2)).
Netwire is a commercially available malware.
Threat actors utilize multiple layers of obfuscation to evade A/V detection.
TRT assesses with moderate confidence that Netwire will increase in popularity with both low-level and well-resourced actors, based primarily on its ease of access.
The Netwire sample discussed in this blog was delivered via a phishing campaign (Figure 1).
Figure 1 Phishing Email
As stated above, this sample of the Netwire payload was hidden under fiver layers of obfuscation. It stores and starts with the obfuscated blob in the mutex (Figure 2).
Figure 2 Mutex
The first layer is a xor encoded blob that decodes to a second layer which is base 64 encoded blob (Figure 3).
Figure 3 XOR
The base64 decodes to a third layer which is a .net packer called Adderall Protector (Figure 4)
Figure 4 Base64
Adderall Protect injects a xor encoded payload (figure) into host.exe and starts process vbc.exe. So, if you are stepping through this, you will see the module “AuthenticationState” called before process vbc.exe is started (Figure 5). The PBD path was not stripped from the third layer “c:\Users\Administrator\AppData\Roaming\AdderallProtector\AuthenticationState.pdb” and as such we were able to identify it.
Figure 5 Modules
The injected code is the payload packed with .net packer called .NETGuard (version 4.5). The payload is Netwire and installs itself in %AppData%\Roaming\Install\Host.exe. Host.exe is actually command line visual basic compiler(vbc.exe) (Figure 6).
Figure 6 VBC
After all the .net obfuscation and packing, we get to the actual payload that is Netwire (Figure 7). Netwire is not .net and once you have the payload, you need to switch from using DNSpy to IDA pro for further analysis.
Figure 7 Netwire
Netwire will start by initializing global variables and window sockets by calling WAStratup (Figure 8).
Figure 8 WAStartup
If the file is not running from %AppData%\Instal\ as Host.exe, it will create the copy of itself there and run a child process from that location (Figure 9).
Figure 9 Install Folder
Next, the malware will de-obfuscate strings that it needs. Netwire contains a custom obfuscation to hide registry keys, APIs, DLL names, and other strings. Below is a python script to decode the strings manually (Figure 10). A python de-obfuscation script is included in the Appendix.
Figure 10 String Obfuscation
Netwire will go onto creating persistence by adding a registry key to start Host.exe at startup (Figure 11).
Figure 11 RegKey
The malware will call _begintheardex to start keylogging (Figure 12). Netwire also creates a “Logs” folder to store the collected data from the victim system. Additionally, it has the ability to delete itself and download a bat file to %temp% and run it.
Figure 12 Logging
It also creates a Host ID and logs the infection date and time (Figure 13).
Figure 13 Host ID
Netwire uses RC4 encryption with a hard coded 16-byte key for its configuration data. The key is located at a specific offset in the binary. Once the key is read. It will start the RC4 decryption process. Figure 14 below illustrated the process of creating the Rc4 init sbox. Figure 15 illustrates the decryption process.
Figure 14 Rc4 init sbox
Figure 15 Decryption process
Netwire uses AES to encrypt the command and control traffic. The initial packet will send a 32 byte value along with 16 byte IV value. The client uses the static password specified on its configuration data along with the 32 byte value seed to generate the AES key. The C2 server then generates the client session key, which is needed to generate the keys for communication, unfortunately the server was down at the time of analysis (Figure 16). However, after the C2 servers generates the keys, further communications send information about the victim system such as: current user, computer name, operating system version, current time, and victim IP.
Figure 16 PCAP
Based off current observations and analysis, Netwire is assessed to be a moderate threat. While it is being used by nation-state sponsored and cyber criminals, it’s not yet as widespread as Emotet or NanoCore. Due to its usage, it is also believed that the developers most likely keep up to date with bugs and capability improvements. Netwire’s growth in popularity over the last couple months, and its commercial availability, also leads TRT analysts to assess with moderate confidence that this malware will increase in popularity with both low-level and well-resourced actors.
As Netwire has been seen being delivered via phishing campaigns, it is recommended, as always, that email vigilance and proper security awareness be practiced in order to limit compromise by adversaries leveraging Netwire.
Python Deobfuscation for strings
key = “_BqwHaF8TkKDMfOzQASx4VuXdZibUIeylJWhj0m5o2ErLt6vGRN9sY1n3Ppc7g-C”
obf_str = “MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56\%6″
Deofb_str = ”
for letter in obf_str:
index1 = key.find(letter) #give index number of each char that is in str obf_str
k_len = len(key) #find length
index1_plus_6 = [ndex1 + 6] #takes index number that index1 is currently at and adds 6
index = index1_plus_6 #stores what is currently at key plus 6(stores line 9)
if index > k_len: # do this if index out of range
out_of_range_val = int(index) & int(‘3f’, 16 ) #index out of range check
k_key = key[out_of_range_val]
Deofb_str += k_key
else: # do this if index in range
if letter == ‘\\’: #skip \
Deofb_str += letter
decoded = key[index1 + 6] #add 6 to index1 and show the letter
Deofb_str += decoded
uint16(0) == 0x5a4d and 10 of ($str*) and 5 of ($fmtstr*) and any of ($rc4_opcode*)
Assessment Writing Styles and Meanings
Confidence is a judgment based on three factors:
1. Strength of knowledge base, to include the quality of the sources and our depth of understanding about the issue
2. Number and importance of assumptions used to fill information gaps
3. Strength of logic underpinning the argument, which encompasses the number and strength of analytic inferences as well as the rigor of the analytic methodology in the product
HIGH: Well-corroborated information from proven sources, minimal assumptions, and/or strong logical inferences
MODERATE: Partially corroborated information from good sources, several assumptions, and/or mixture of strong and weak inferences
LOW: Uncorroborated information from good or marginal sources, many assumptions, and/or mostly weak inferences
(n.d.). Retrieved from https://www.worldwiredlabs.com/clients/announcements/51/NetWire-v20-R1.html
(n.d.). Retrieved from https://attack.mitre.org/software/S0198/
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.