In enterprise attack wave, NetWire Trojan now buries itself in disk image files

Enterprise companies are being targeted by a business email scam harnessing the Trojan.

Why did a sophisticated banking Trojan start to send nasty SMSs? The feature is certainly one way to advertise a malware infection on your smartphone.

A new NetWire RAT campaign has been spotted that uses fake disk image attachments loaded with malware in business email scams.

The NetWire Remote Access Trojan (RAT) is key to this latest threat to enterprise players. First spotted in 2012, the RAT has undergone a constant cycle of evolution and upgrades by its developers as the malware is offered commercially in underground forums.

According to IBM X-Force researchers Megan Roddie and Limor Kessem, the Trojan has been connected to a wide range of campaigns "that range from cybercrime endeavors by Nigerian scammers to advanced persistent threat (APT) attacks."

See also: Antivirus vendors push fixes for EFS ransomware attack method

In 2017, AlienVault researchers said that NetWire was the second most common Trojan threatening enterprise networks, coming just behind NjRat, a RAT focused on targets in the Middle East. 

However, the latest Business Email (BEC) scam is using a new technique -- the attempt to utilize crafted, malicious image files sent as email attachments in order to circumvent existing security controls. 

Many BEC scams follow the same pattern. Messages are sent that masquerade as legitimate corporate queries or requests which contain links to fraudulent domains or documents that use macros as a means to deploy malware. Simple disk image attachments, however, are not as common and may not be recognized as fake so readily. 

In a blog post on Tuesday, the team said the .img files are being sent from a small number of threat actors apparently from Germany. In one case, the file was named "Sales_Quotation_SQUO00001760.img," and once opened, it would extract an executable containing NetWire. 

CNET: Clearview app lets strangers find your name, info with snap of a photo, report says

Upon execution, the first task on NetWire's list is to maintain persistence, achieved by task scheduling. Registry keys are also stored to facilitate the transfer of stolen information to the malware's command-and-control (C2) server over TCP port 3012.

The malware is able to steal system information, download and execute additional payloads, read Internet histories, harvest credentials including those used by browsers and email clients, install keyloggers, and simulate both keyboard and mouse operations.

It is likely that the latest campaign is financially-motivated, as most BEC scams are. IBM has suggested that in this campaign it is likely local fraudsters who have bought into the commercially-available Trojan in order to rob victims.

TechRepublic: Bug bounties won't make you rich (but you should participate anyway)

"While most financially motivated cybercrime is the work of larger, organized crime groups, smaller factions are still very much in business, and they too target businesses to compromise bank accounts and steal money by using commercially available malware year-round," the researchers added. 

Attribution is difficult given the malware's commercial nature, however, clues found in the code's strings have been written in what appears to be Indonesian. 

Over January, cybersecurity experts from Zscaler and Positive Technologies documented the upgrade of FTCODE, a PowerShell-based strain of ransomware which has been recently refreshed with email and browser credential-stealing capabilities. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0