Tuesday, April 7, 2015

MMD-0031-2015 - What is NetWire (multi platform) RAT?

The background

It has been a talk internally in our group about a RAT (Remote Access Trojans) that is commonly found and used by crooks called "NetWire RAT". The talks is about why this RAT was commonly found during the carding, POS or etc hack cases related to the cyber criminal activities, and is this RAT multi platform supported, etc..

Shortly, I think it will be good if I post it here a thorough reference for my friend and also the fellow researchers + industries to understand about the threat (if not known this yet) and to raise the awareness to the internet users of the existence of this malware (RAT family). This is a generally writing post, and I will add with some details later along with the more thorough check & investigation. Comments are welcome to add your vision to this threat, enjoy!

The samples

Samples can be randomly search in Virus Total with the below hashes:


The origin

Below is the origin of this threat, it was starting from 2012, with the complete explanation from its malware author. I made a loong picture for it, so please be patient with the download. Here we go:

Installation and howto

A howto for this RAT explained by the author is as per below pictures. Please click them one by one sequentially.

Specific characteristic

Some characteristic in reversing point of view will be explained in this section as a quicky. Feel free to examine deeper. I used the sample with hash 1931bcb54655ca2018fec60bf84776f7 which I thought was the latest that I can find and it is obviously the trial version of this RAT as per seen in uploaded data below:

md5: 1931bcb54655ca2018fec60bf84776f7 
directory: userprofile%\desktop\netwire-trial\
filename: doit.exe

Binary analysis in PEStudio

I'm a big fan and ssupporter to Marc's PEStudio, it detected this RAT pretty good, below is the original indicators spotted for helping you in analyzing this RAT:

Reversing & strings

Back connect

Back connect functionality can be seen in the function below using the HTTP/1.0:

; start addr 0x40391C
; callback functions in HTTP/1.0

push    ebp
mov     ebp, esp
push    edi
push    esi
push    ebx
sub     esp, 22Ch
mov     esi, [ebp+arg_0]
mov     eax, [ebp+arg_8]
mov     [esp+238h+var_228], eax
mov     eax, [ebp+arg_4]
mov     [esp+238h+var_22C], eax
mov     [esp+238h+var_230], offset aConnectSDHttp1 ; "CONNECT %s:%d HTTP/1.0\n\n"
mov     [esp+238h+var_234], 200h
lea     ebx, [ebp+var_218]
mov     [esp+238h+var_238], ebx
call    0x4094C7
mov     edi, eax
mov     [esp+238h+var_22C], 0
mov     [esp+238h+var_230], eax
mov     [esp+238h+var_234], ebx
mov     [esp+238h+var_238], esi
call    send
sub     esp, 10h

Download function

It uses HTTP/1.1 for the download functions..

; in proc addr 0x4050F3 
; download functions in HTTP/1.1

mov     eax, [ebp+arg_0]
lea     edx, [eax+204h]
mov     [esp+868h+var_858], edx
mov     [esp+868h+var_85C], eax
mov     [esp+868h+var_860], offset aGetSHttp1_1Hos ; "GET %s HTTP/1.1\r\nHost: %s \r\nConnection:"...
mov     [esp+868h+var_864], 800h
lea     ebx, [ebp+var_818]
mov     [esp+868h+var_868], ebx
call    0x4094C7
xor     eax, eax
or      ecx, 0xFFFFFFFFh
mov     edi, ebx
repne scasb
not     ecx
dec     ecx
mov     [esp+868h+var_85C], 0
mov     [esp+868h+var_860], ecx
mov     [esp+868h+var_864], ebx
mov     eax, [ebp+var_82C]
mov     [esp+868h+var_868], eax
call    send
sub     esp, 10h
mov     [esp+868h+var_864], offset aWb_0 ; "wb"
mov     eax, [ebp+arg_0]
add     eax, 408h
mov     [esp+868h+var_868], eax
call    fopen
mov     edi, eax
test    eax, eax


Attempt to gain access to the Windows OS shell (cmd.exe) is spotted after some check to the environment was done, as per below:

; shell was gained in here (cmd.exe)
; after checking environment
; function in addr 0x4056A0

push    ebp
mov     ebp, esp
push    edi
push    esi
push    ebx
sub     esp, 2CCh
mov     [esp+2D8h+var_2D8], offset aComspec ; "ComSpec"
call    getenv
mov     [esp+2D8h+var_2CC], eax
mov     [esp+2D8h+var_2D0], offset aS_0 ; "%s"
mov     [esp+2D8h+var_2D4], 204h
lea     ebx, [ebp+var_21C]
mov     [esp+2D8h+var_2D8], ebx
call    0x4094C7
mov     [esp+2D8h+var_2D8], ebx
call    0x4047A1
test    al, al
jnz     short 0x40570E
; in addr 0x40570E
mov     [esp+2D8h+var_2D8], offset aWindir ; "WINDIR"
call    getenv
mov     [esp+2D8h+var_2CC], eax
mov     [esp+2D8h+var_2D0], offset aSSystem32Cmd_e ; "%s\\system32\\cmd.exe"
mov     [esp+2D8h+var_2D4], 204h
mov     [esp+2D8h+var_2D8], ebx

Credential Grabber

The below string list will be enough to describe what is being aimed by this RAT:

.data:0x40FA03 SOFTWARE\\Mozilla\\%s\\ 
.data:0x40FA18 CurrentVersion 
.data:0x40FA27 SOFTWARE\\Mozilla\\%s\\%s\\Main
.data:0x40FA43 Install Directory
.data:0x40FA55 %s\\%s 
.data:0x40FA5B mozutils.dll 
.data:0x40FA68 mozglue.dll
.data:0x40FA74 mozsqlite3.dll 
.data:0x40FA83 Mozilla Firefox
.data:0x40FA93 APPDATA
.data:0x40FA9C %s\\Mozilla\\Firefox\\profiles.ini 
.data:0x40FABC %s\\Mozilla\\Firefox\\%s 
.data:0x40FAD2 Mozilla Thunderbird
.data:0x40FAE6 %s\\Thunderbird\\profiles.ini
.data:0x40FB02 %s\\Thunderbird\\%s
.data:0x40FB14 SeaMonkey
.data:0x40FB20 %s\\Mozilla\\SeaMonkey\\profiles.ini 
.data:0x40FB42 %s\\Mozilla\\SeaMonkey\\%s 
.data:0x40FB5A %s\\signons.sqlite 
.data:0x40FB6C NSS_Init 
.data:0x40FB75 PK11_GetInternalKeySlot
.data:0x40FB8D PK11_Authenticate
.data:0x40FB9F NSSBase64_DecodeBuffer 
.data:0x40FBB6 PK11SDR_Decrypt
.data:0x40FBC6 PK11_FreeSlot
.data:0x40FBD4 NSS_Shutdown 
.data:0x40FBE1 sqlite3_open 
.data:0x40FBEE sqlite3_close
.data:0x40FBFC sqlite3_prepare_v2 
.data:0x40FC0F sqlite3_step 
.data:0x40FC1C sqlite3_column_text
.data:0x40FC30 select *from moz_logins
.data:0x40FC4A %c%s\a%s\a%s\b\b\b\b 
.data:0x40FC59 %s\\Opera\\Opera\\wand.dat 
.data:0x40FC74 %s\\Opera\\Opera\\profile\\wand.dat
.data:0x40FC94 rb 
.data:0x40FC97 \b\b\b\b 
.data:0x40FC9C %s\\.purple\\accounts.xml
.data:0x40FCBF %d%s\a 
.data:0x40FCD7 %s\a 
.data:0x40FCDB advapi32.dll 
.data:0x40FCE8 CredEnumerateA 
.data:0x40FCF7 CredFree 
.data:0x40FD00 WindowsLive:name=* 
.data:0x40FD16 %d%s\a%ws\a
.data:0x40FD20 Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676
.data:0x40FD9B Email
.data:0x40FDA1 POP3 User
.data:0x40FDAB POP3 Server
.data:0x40FDB7 POP3 Password
.data:0x40FDC5 IMAP User
.data:0x40FDCF IMAP Server
.data:0x40FDDB IMAP Password
.data:0x40FDE9 HTTP User
.data:0x40FDF3 HTTP Server
.data:0x40FDFF HTTP Password
.data:0x40FE0D SMTP User
.data:0x40FE17 SMTP Server
.data:0x40FE23 SMTP Password
.data:0x40FE94 Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2 
.data:0x40FEDE index.dat
.data:0x40FEE8 History
.data:0x40FEF0 Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
.data:0x40FF34 %s\\Google\\Chrome\\User Data\\Default\\Login Data 
.data:0x40FF64 %s\\Chromium\\User Data\\Default\\Login Data 
.data:0x40FFAC localhost
.data:0x40FFB6 USERNAME 
.data:0x40FFBF Unknown
.data:0x40FFC7 kernel32.dll 
.data:0x40FFD4 GetNativeSystemInfo
.data:0x40FFE8 SYSTEM\\CurrentControlSet\\Control\\ProductOptions 
.data:0x410018 ProductType
.data:0x410024 WINNT
.data:0x41002A LANMANNT 
.data:0x410033 SERVERNT 
.data:0x41003C %d 
.data:0x41003F GlobalMemoryStatusEx 
.data:0x410054 WINDIR 
.data:0x41005B PATH 
.data:0x410060 %s\a%s\a%s\a%I64u\a%I64u\a%I64u\a%s\a%s\a%s\a%s\a%d\a%s\a%d\a%s\a%d\a%s\a%d\a

Keystroke Mapping from remote operation

This one is also self-explanatory:

.data:0x41020C [Backspace]
.data:0x410218 [Enter]
.data:0x410220 [Tab]
.data:0x410226 [Arrow Left] 
.data:0x410233 [Arrow Up] 
.data:0x41023E [Arrow Right]
.data:0x41024C [Arrow Down] 
.data:0x410259 [Home] 
.data:0x410260 [Page Up]
.data:0x41026A [Page Down]
.data:0x410276 [End]
.data:0x41027C [Break]
.data:0x410284 [Delete] 
.data:0x41028D [Insert] 
.data:0x410296 [Print Screen] 
.data:0x4102A5 [Scroll Lock]
.data:0x4102B3 [Caps Lock]
.data:0x4102BF [Alt]
.data:0x4102C5 [Esc]
.data:0x4102CB [Ctrl+%c] 


I almost forget this one..

.data:0x4100A5 SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\
.data:0x4100D4 SOFTWARE\\Microsoft\\Active Setup\\Installed Components
.data:0x41010F SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\%s
.data:0x41014C StubPath 
the %s value is like below:

Many other function too, please feel free to check it yourself, for practise :)

Signature and Prologue

For getting a bit of idea in mitigation and detecting this sample, I modified a sample filtration signature that can be accessed in -->[here] on a Yara rule format. It is NOT an official Yara rules, and I posted here for an example and research purpose, some trimmed codes was done for the adjustment, and I may modify this for the better detection purpose too.

PS: It's good to be back :-)

Kudos researcher friends w/feedback, thank you!