Overview
Type: Trojan
Destruction Level: Moderate
Prevalence: Moderate
Malware names
- Trojan.Win32.NetWire.a (Padvish)
- Backdoor: Win32/Netwire.GG! MTB (Microsoft)
- A Variant Of Win32/Kryptik.HLLV (ESET-NOD32)
What is a Trojan?
Trojans are malware types that introduce themselves as healthy and legal software and act similarly to practical and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching it to an email, etc. are ways that Trojans are using to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.
What is Netwire malware?
NetWire is a RAT that is designed to access the victim’s system remotely and monitor or control the infected system. This malware allows the attacker to remotely connect to the victim’s system and execute malicious code from its command and control server. The malware also monitors keystrokes, takes screenshots, steals passwords, and accesses webcams and microphones.
Technical Explanation
Signs of infection
1. Existence of file Host.exe on the way AppData% \ Install%
2. Create a registry survival to execute the file Host.exe
3. Existence of a file with a name and a template of DAY-MONTH-YEAR on AppData% / Roaming / Logs% path
Describing Performance
By running the malware, a file called “Host.exe ” will be created and executed on “AppData% \ Install \ Host.exe%”. NetWire creates its main key on the (HKCU \ SOFTWARE \ NetWire) registry path. So, the malware copy will run automatically when the infected system starts. As you can see in the following image, the malware has a unique identifier for the victim’s system called HostID-XXXXXX which is Registered in the registry.
Malware tries to extract user login data from web browsers such as Google Chrome And Brave Browser.
Also in the browser Internet Explorer, passwords are stored encrypted in the registry path below, which the attacker tries to access:
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ IntelliForms \ Storage2
Another action of this malware is to scan the list of Microsoft Outlook profiles on the victim’s device to gather information.
The malware then seeks to use the victim’s sensitive information for malicious activities or gain financial profit by collecting and recording mouse movements and keyboard inputs as a potential source. NetWire saves the obtained data and information in a log file in the “% AppData% / Roaming / Logs ” path of the victim according to the date of infection.
The data in the file log are encrypted using an encryption algorithm. The longer the malware remains on the victim system, the larger the file, because it collects more data and information from the victim system.
NetWire will try to make a TCP connection with its remote server while gathering information. In the samples examined, it was found that this malware is constantly trying to communicate with the desired address on port 3382.
If this connection is successful, an attacker could transfer the captured data or perform other malicious actions such as downloading and executing additional malicious code. The address that the malware is trying to access is:
“automan [.] duckdns [.] org: 3382 “
How to deal with it and disinfect the system
Padvish Antivirus detects this malware and removes it from the system. To prevent this type of malware from entering the system, it is recommended to avoid clicking on suspicious links and be sure to scan the attachments of the emails before running. Also, if possible, always keep your operating system and antivirus up to date.