NetWire, is an old remote access tool commonly used in 2012 and recently taking part in phishing campaigns done via email.
Its purpose is to steal credentials, log keystrokes and send anything useful to the attacker back to its C2.
Fun fact, according to IBM X-Force IRIS, this malware has been seen in APTs attacks, Nigerian scammers and can be bought on the dark web from 40$ to 180$ depending on the marketplace.
- Credential stealer
- Remote Access Tool
General file information
CAPE analysis: here
Any Run analysis: here
Hybrid Analysis: here
MITRE NetWire malware: here
The malicious file is an excel document that asks the user to enable macros.
There’s nothing much to say besides how the macro downloads the payload and executes it.
The image below shows the content inside the second page and, without further ado, we extracted the URLs and paths that the macro uses to download and install the payload.
In order to avoid detection, the strings containing the URL and additional parameters are being generated by concatenating each character together and using them inside the CALL function at the end of the page.
Below there’s the deobfuscated strings and calling functions to create 2 directories, download the payload and execute it.
Lastly, the download PNG is an executable packed with NSIS and can be extracted with 7zip.
The PNG in the picture has something interested (most likely NetWire) attached at the end of its end byte:
At this point, we knew that the malicious executable was being extracted / read from this PNG but we had no clue how to analyse it since every time the debugger crashed.