NETWIRE

NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.^[1]^[2]^[3]

ID: S0198

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows, Linux, macOS

Contributors: Tony Lambert, Red Canary

Version: 1.6

Created: 18 April 2018

Last Modified: 20 September 2023

Techniques Used

Domain	ID		Name	Use
Enterprise	T1555		从密码存储中获取凭证	NETWIRE can retrieve passwords from messaging and mail client applications.^[4]
		.003	Credentials from Web Browsers	NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.^[5]^[4]^[6]
Enterprise	T1090		代理	NETWIRE can implement use of proxies to pivot traffic.^[4]
Enterprise	T1036	.001	伪装: Invalid Code Signature	The NETWIRE client has been signed by fake and invalid digital certificates.^[2]
		.005	伪装: Match Legitimate Name or Location	NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.^[4]
Enterprise	T1112		修改注册表	NETWIRE can modify the Registry to store its configuration information.^[4]
Enterprise	T1543	.001	创建或修改系统进程: Launch Agent	NETWIRE can use launch agents for persistence.^[4]
Enterprise	T1573		加密通道	NETWIRE can encrypt C2 communications.^[4]
		.001	Symmetric Cryptography	NETWIRE can use AES encryption for C2 data transferred.^[4]
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	NETWIRE creates a Registry start-up entry to establish persistence.^[2]^[4]^[7]^[6]
		.013	启动或登录自动启动执行: XDG Autostart Entries	NETWIRE can use XDG Autostart Entries to establish persistence on Linux systems.^[4]
		.015	启动或登录自动启动执行: Login Items	NETWIRE can persist via startup options for Login items.^[4]
Enterprise	T1059	.001	命令与脚本解释器: PowerShell	The NETWIRE binary has been executed via PowerShell script.^[5]
		.003	命令与脚本解释器: Windows Command Shell	NETWIRE can issue commands using cmd.exe.^[4]^[6]
		.004	命令与脚本解释器: Unix Shell	NETWIRE has the ability to use `/bin/bash` and `/bin/sh` to execute commands.^[4]^[6]
		.005	命令与脚本解释器: Visual Basic	NETWIRE has been executed through use of VBScripts.^[5]^[6]
Enterprise	T1113		屏幕捕获	NETWIRE can capture the victim's screen.^[2]^[5]^[4]^[6]
Enterprise	T1071	.001	应用层协议: Web Protocols	NETWIRE has the ability to communicate over HTTP.^[4]^[6]
Enterprise	T1010		应用窗口发现	NETWIRE can discover and close windows on controlled systems.^[4]
Enterprise	T1560		归档收集数据	NETWIRE has the ability to compress archived screenshots.^[4]
		.003	Archive via Custom Method	NETWIRE has used a custom encryption algorithm to encrypt collected data.^[5]
Enterprise	T1074	.001	数据分段: Local Data Staging	NETWIRE has the ability to write collected data to a file created in the `./LOGS` directory.^[5]
Enterprise	T1083		文件和目录发现	NETWIRE has the ability to search for files on the compromised host.^[6]
Enterprise	T1106		本机API	NETWIRE can use Native API including `CreateProcess` `GetProcessById`, and `WriteProcessMemory`.^[5]
Enterprise	T1027		混淆文件或信息	NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.^[5]
		.002	Software Packing	NETWIRE has used .NET packer tools to evade detection.^[4]
		.011	Fileless Storage	NETWIRE can store its configuration information in the Registry under `HKCU:\Software\Netwire`.^[4]
Enterprise	T1204	.001	用户执行: Malicious Link	NETWIRE has been executed through convincing victims into clicking malicious links.^[5]^[7]
		.002	用户执行: Malicious File	NETWIRE has been executed through luring victims into opening malicious documents.^[5]^[7]^[6]
Enterprise	T1082		系统信息发现	NETWIRE can discover and collect victim system information.^[2]
Enterprise	T1049		系统网络连接发现	NETWIRE can capture session logon details from a compromised host.^[5]
Enterprise	T1016		系统网络配置发现	NETWIRE can collect the IP address of a compromised host.^[4]^[6]
Enterprise	T1102		网络服务	NETWIRE has used web services including Paste.ee to host payloads.^[5]
Enterprise	T1119		自动化收集	NETWIRE can automatically archive collected data.^[4]
Enterprise	T1105		输入工具传输	NETWIRE can downloaded payloads from C2 to the compromised host.^[5]^[6]
Enterprise	T1056	.001	输入捕获: Keylogging	NETWIRE can perform keylogging.^[2]^[3]^[5]^[4]^[6]
Enterprise	T1057		进程发现	NETWIRE can discover processes on compromised hosts.^[5]
Enterprise	T1055		进程注入	NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe.^[4]
		.012	Process Hollowing	The NETWIRE payload has been injected into benign Microsoft executables via process hollowing.^[5]^[4]
Enterprise	T1566	.001	钓鱼: Spearphishing Attachment	NETWIRE has been spread via e-mail campaigns utilizing malicious attachments.^[7]^[6]
		.002	钓鱼: Spearphishing Link	NETWIRE has been spread via e-mail campaigns utilizing malicious links.^[7]
Enterprise	T1564	.001	隐藏伪装: Hidden Files and Directories	NETWIRE can copy itself to and launch itself from hidden folders.^[4]
Enterprise	T1095		非应用层协议	NETWIRE can use TCP in C2 communications.^[4]^[7]
Enterprise	T1053	.003	预定任务/作业: Cron	NETWIRE can use crontabs to establish persistence.^[4]
		.005	预定任务/作业: Scheduled Task	NETWIRE can create a scheduled task to establish persistence.^[5]

Groups That Use This Software

ID	Name	References
G0089	The White Company	^[8]
G0064	APT33	^[1]^[3]
G0083	SilverTerrier	^[9]
G1018	TA2541	^[10]^[5]

References

O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.

NETWIRE

Enterprise Layer

Techniques Used

Groups That Use This Software

References