NetWire Controllers Are Dropping COVID-19-Themed Decoy Files

NetWire Controllers Are Dropping COVID-19-Themed Decoy Files

May 18, 2020 | Mina Hao

With the outbreak of the COVID-19 pandemic around the world, trending hashtags related to the epidemic are flooding social media, attracting attention of a number of international hacker organizations, which jump at the chance to conduct social engineering based on decoy messages.

Recently, NSFCOUS found that NetWire controllers began to drop the trojan with the aid of decoy files concerning COVID-19.

NetWire, also known as NetWireRC or Recam, is a remote access trojan that was first spotted in 2012. It was used by Nigerian hackers to target enterprises. Over the years, the ever-evolving NetWire has given birth to multiple kill chains. Since 2019, this trojan has experienced a period of booming growth, spreading wildly via phishing emails and web disks.


Some NetWire samples captured by NSFOCUS recently are found to contain COVID-19-related information for social engineering campaigns.

A victim will see the following content when opening an attachment in a malicious email:

The preceding figure shows the global distribution of the COVID-19 virus, with geographical errors.

In fact, this file contains a Microsoft Office Equation vulnerability (CVE-2017-11882) which could be exploited to download and execute a malicious program, leading to NetWire execution on the victim’s host.

The following figure shows NetWire’s attack process:

First, the bait Rich Text Format (RTF) file runs to obtain the address of stage 2 payload via a short URL. Then, the payload will be downloaded and executed, injecting the decrypted strings and shellcode into a Windows program, ieinstal.exe, for execution. After that, the shellcode will access Google Drive and download NetWire to memory for execution. Finally, the NetWire variant will connect to the command and control (C&C) server with the IP address of 79.137.*.103.

Virus Analysis

RTF File

This decoy file contains highly obfuscated RTF code that could trigger the CVE-2017-11882 vulnerability.

After the vulnerability is triggered, the program will jump to shellcode which uses the common idea of GlobalLock to determine the position of the OLE stream object. After that, the program jumps to stage 2 shellcode in the object. Also, the stage 2 shellcode is highly obfuscated.

Finally, the malicious shellcode included in the decoy document downloads and executes the contents indicated in the short URL,*xW (currently parsed into hxxp://www.asim*.com/new/Notepad.txt), before displaying the global COVID-19 map (a JPEG image) in the RTF document with Word.


The stage 2 payload, Notepad.txt, that is downloaded and executed by the malicious RTF file is a Visual Basic (VB) program. This program is mainly used to start and inject shellcode and decrypted configurations of the string type into the Windows program, ieinstal.exe.

ieinstal.exe, upon execution, will first create the USER\\Bagtaler4\\ directory, then move the main body of the malicious program to this directory and name it Samipat8.exe, and finally create an autostart registry key to ensure persistence.

After that, the malicious program will visit the hard-coded address, hxxps://*Jz90, to download, decrypt, and execute NetWire, the payload in the final stage.

The following function is used during decryption:

The decryption logic applied here is XOR decryption with a long key which is provided by shellcode. The long key in question has a length of 0x24A bytes consisting of a repeated key of 0x100 bytes. The long key is shown as follows:



Finally, the injected ieinstal program will load NetWire in memory.

This trojan connects to 9.137.*.103:39561, the address of a C&C server, and their communications follow the format below:

0x00~0x03 0x04 0x05~
length cmdbyte data

The payload of packets uses the Advanced Encryption Standard (AES) encryption. The encryption key and initialization vector (IV) will be generated randomly during the initialization of the trojan and will be passed to the C&C server during the first round of communication.

As shown in the preceding figure, the 32-byte key is highlighted in the red frame, 16-byte IV in the orange frame, and ciphertext in the green frame whose plaintext is hardcoded in the trojan file.

When receiving the encryption key provided by the trojan, the C&C server encrypts the payload with the key before conducting subsequent communications with the trojan.

The NetWire trojan used in this example is a full-fledged one with support for 57 kinds of command used for such actions as file operations, process operations, window operations, registry operations, reverse shell, traffic forwarding, input simulation, and user credential theft. The following table lists the directives supported by this trojan:

0x97 Obtains the frontend window name and standby time of the controlled end (heartbeat message).
0x9B Obtains information about the controlled end, including the user name, computer name, and operating system version.
0x9C Runs the specified program in the Temp directory.
0x9D Executes the specified command line.
0x9F Exits the programs (disabling the communication with the C&C server, releasing the mutex, and killing the process).
0xA0 Disables the communication with the C&C server and enters the standby state.
0xA1 Cleans the registry and exits the program.
0xA2 Updates the registry key for NetWire.
0xA3 Downloads the program from a specific URL to the Temp directory and executes it.
0xA4 Obtains disk information.
0xA6 Obtains the time information of files in the specified directory.
0xA8 Obtains the properties and size of files in the specified directory.
0xAA Terminates the directory traversal thread.
0xAB Obtains contents of a specified file.
0xAC Writes into a marked file.
0xAD Closes a marked file.
0xAE Copies a file.
0xAF Executes the specified command line in the main thread.
0xB0 Moves a file.
0xB1 Deletes a file.
0xB2 Creates a folder.
0xB3 Deletes a file or a folder.
0xB4 Obtains the name and properties of files in the specified directory.
0xB5 Closes a marked file.
0xB6 Creates reverse shell.
0xB7 Writes reverse shell.
0xB8 Closes reverse shell.
0xBA Obtains details of the controlled end, including the processor, memory, and token.
0xBC Obtains information about all login sessions.
0xBE Obtains the process list and related information.
0xC0 Terminates the specified process.
0xC1 Obtains the window list.
0xC2 Performs window-related operations that are specified with the instruction code:

1. Closes a window.

2. Hides a window.

3. Displays a window.

4. Sets the window title.

0xC3 Downloads the program from a specific URL to the specified directory and executes it.
0xC5 Simulates keyup.
0xC6 Simulates keydown.
0xC7 Releases a mouse button.
0xC8 Sets the cursor position and presses a mouse button.
0xC9 Takes a screenshot of the current screen.
0xCC Obtains the trojan execution log file.
0xCE Obtains the path and properties of the trojan execution log file.
0xCF Deletes the specified trojan execution log.
0xD0 Obtains the specified trojan execution log.
0xD3 Obtains information about login via a specified browser.
0xD4 Obtains information about login via a specified browser.
0xD5 Obtains the Pidgin account profile.
0xD6 Obtains the Pidgin account profile.
0xD7 Obtains the default Outlook profile.
0xD8 Obtains the default Outlook profile.
0xD9 Forwards traffic to the specified address.
0xDF Obtains the name and properties of files in the specified directory.
0xE2 Stops directory traversal.
0xE3 Compresses a specified file or directory.
0xE4 Obtains network information of the controlled host.
0xE5 Obtains traversal information of a specified registry key.
0xE7 Performs registry-related operations, such as creating or deleting a registry key or assigning a value to such a key.
0xE8 Obtains system information of the controlled end.

Event Impact

Our correlative data shows that the malicious domain name used in this event released the NetWire trojan as early as October 2019 and the web disk link used in this event has been available for two weeks since it was discovered on February 26, 2020. In addition, NetWire has delivered 25 web disk links in this year alone, including the ones that are still accessible today as they were on January 9. All of these prove the longevity of NetWire.

Arguably, the spread of the COVID-19-themed decoy files marks a new activity period for NetWire and the group behind it. Due to long-lived attack chains of NetWire, email users will be exposed to the threat of this trojan for quite a long time.