NetWire Controllers Are Dropping COVID-19-Themed Decoy Files

NetWire Controllers Are Dropping COVID-19-Themed Decoy Files

May 18, 2020 | Mina Hao

With the outbreak of the COVID-19 pandemic around the world, trending hashtags related to the epidemic are flooding social media, attracting attention of a number of international hacker organizations, which jump at the chance to conduct social engineering based on decoy messages.

Recently, NSFCOUS found that NetWire controllers began to drop the trojan with the aid of decoy files concerning COVID-19.

NetWire, also known as NetWireRC or Recam, is a remote access trojan that was first spotted in 2012. It was used by Nigerian hackers to target enterprises. Over the years, the ever-evolving NetWire has given birth to multiple kill chains. Since 2019, this trojan has experienced a period of booming growth, spreading wildly via phishing emails and web disks.

Overview

Some NetWire samples captured by NSFOCUS recently are found to contain COVID-19-related information for social engineering campaigns.

A victim will see the following content when opening an attachment in a malicious email:

The preceding figure shows the global distribution of the COVID-19 virus, with geographical errors.

In fact, this file contains a Microsoft Office Equation vulnerability (CVE-2017-11882) which could be exploited to download and execute a malicious program, leading to NetWire execution on the victim’s host.

The following figure shows NetWire’s attack process:

First, the bait Rich Text Format (RTF) file runs to obtain the address of stage 2 payload via a short URL. Then, the payload will be downloaded and executed, injecting the decrypted strings and shellcode into a Windows program, ieinstal.exe, for execution. After that, the shellcode will access Google Drive and download NetWire to memory for execution. Finally, the NetWire variant will connect to the command and control (C&C) server with the IP address of 79.137.*.103.

Virus Analysis

RTF File

This decoy file contains highly obfuscated RTF code that could trigger the CVE-2017-11882 vulnerability.

After the vulnerability is triggered, the program will jump to shellcode which uses the common idea of GlobalLock to determine the position of the OLE stream object. After that, the program jumps to stage 2 shellcode in the object. Also, the stage 2 shellcode is highly obfuscated.

Finally, the malicious shellcode included in the decoy document downloads and executes the contents indicated in the short URL, bit.ly/2TxW (currently parsed into hxxp://www.asim.com/new/Notepad.txt), before displaying the global COVID-19 map (a JPEG image) in the RTF document with Word.

Notepad.txt

The stage 2 payload, Notepad.txt, that is downloaded and executed by the malicious RTF file is a Visual Basic (VB) program. This program is mainly used to start and inject shellcode and decrypted configurations of the string type into the Windows program, ieinstal.exe.

ieinstal.exe, upon execution, will first create the USER\Bagtaler4\ directory, then move the main body of the malicious program to this directory and name it Samipat8.exe, and finally create an autostart registry key to ensure persistence.

After that, the malicious program will visit the hard-coded address, hxxps://drive.google.com/uc?export=download&id=1kFK*Jz90, to download, decrypt, and execute NetWire, the payload in the final stage.

The following function is used during decryption:

The decryption logic applied here is XOR decryption with a long key which is provided by shellcode. The long key in question has a length of 0x24A bytes consisting of a repeated key of 0x100 bytes. The long key is shown as follows:

076C3D0F54873230F1AE34A2E026CB21DCF06F35280A6456C631AAC7B4EEFD46B0B7E516FC8DDA379AF9DDA94471746B843A183BD1110D5C6E7C53CE19F4A64D58BD4A60A5D83F8142FF85F3ED771C722D41C042795BB5A71782FBD4C1FB4E9701C4F2674DDEE888EB062EFA95C2C5BCD547698C22625EADBFCDA41F6A45F79EA90E9BB1F6E590D24F50D6003EC829C33A921193CAAC06B424D30825124C9FE80E1543B89E2F38D9F8577F4BE6CFD2C9E298BADD2FB3AFFECCDAB12CBB5248EFB61BECBE0336E1DFA0A127518F197A148BE31EE4D7B9130575245976639DF0F55F669409AB3C892A49A8D09C3720231A33E9C7EA8004BC0B1D2B027D0CA35540076C3D0F54873230F1AE34A2E026CB21DCF06F35280A6456C631AAC7B4EEFD46B0B7E516FC8DDA379AF9DDA94471746B843A183BD1110D5C6E7C53CE19F4A64D58BD4A60A5D83F8142FF85F3ED771C722D41C042795BB5A71782FBD4C1FB4E9701C4F2674DDEE888EB062EFA95C2C5BCD547698C22625EADBFCDA41F6A45F79EA90E9BB1F6E590D24F50D6003EC829C33A921193CAAC06B424D30825124C9FE80E1543B89E2F38D9F8577F4BE6CFD2C9E298BADD2FB3AFFECCDAB12CBB5248EFB61BECBE0336E1DFA0A127518F197A148BE31EE4D7B9130575245976639DF0F55F669409AB3C892A49A8D09C3720231A33E9C7EA8004BC0B1D2B027D0CA35540076C3D0F54873230F1AE34A2E026CB21DCF06F35280A6456C631AAC7B4EEFD46B0B7E516FC8DDA379AF9DDA94471746B843A183BD1110D5C6E7C53CE19F4A64D58BD4A60A5D83F8142FF

NetWire

Finally, the injected ieinstal program will load NetWire in memory.

This trojan connects to 9.137.*.103:39561, the address of a C&C server, and their communications follow the format below:

0x00~0x030x040x05~
lengthcmdbytedata

The payload of packets uses the Advanced Encryption Standard (AES) encryption. The encryption key and initialization vector (IV) will be generated randomly during the initialization of the trojan and will be passed to the C&C server during the first round of communication.

As shown in the preceding figure, the 32-byte key is highlighted in the red frame, 16-byte IV in the orange frame, and ciphertext in the green frame whose plaintext is hardcoded in the trojan file.

When receiving the encryption key provided by the trojan, the C&C server encrypts the payload with the key before conducting subsequent communications with the trojan.

The NetWire trojan used in this example is a full-fledged one with support for 57 kinds of command used for such actions as file operations, process operations, window operations, registry operations, reverse shell, traffic forwarding, input simulation, and user credential theft. The following table lists the directives supported by this trojan:

0x97Obtains the frontend window name and standby time of the controlled end (heartbeat message).
0x9BObtains information about the controlled end, including the user name, computer name, and operating system version.
0x9CRuns the specified program in the Temp directory.
0x9DExecutes the specified command line.
0x9FExits the programs (disabling the communication with the C&C server, releasing the mutex, and killing the process).
0xA0Disables the communication with the C&C server and enters the standby state.
0xA1Cleans the registry and exits the program.
0xA2Updates the registry key for NetWire.
0xA3Downloads the program from a specific URL to the Temp directory and executes it.
0xA4Obtains disk information.
0xA6Obtains the time information of files in the specified directory.
0xA8Obtains the properties and size of files in the specified directory.
0xAATerminates the directory traversal thread.
0xABObtains contents of a specified file.
0xACWrites into a marked file.
0xADCloses a marked file.
0xAECopies a file.
0xAFExecutes the specified command line in the main thread.
0xB0Moves a file.
0xB1Deletes a file.
0xB2Creates a folder.
0xB3Deletes a file or a folder.
0xB4Obtains the name and properties of files in the specified directory.
0xB5Closes a marked file.
0xB6Creates reverse shell.
0xB7Writes reverse shell.
0xB8Closes reverse shell.
0xBAObtains details of the controlled end, including the processor, memory, and token.
0xBCObtains information about all login sessions.
0xBEObtains the process list and related information.
0xC0Terminates the specified process.
0xC1Obtains the window list.
0xC2Performs window-related operations that are specified with the instruction code: 1. Closes a window. 2. Hides a window. 3. Displays a window. 4. Sets the window title.
0xC3Downloads the program from a specific URL to the specified directory and executes it.
0xC5Simulates keyup.
0xC6Simulates keydown.
0xC7Releases a mouse button.
0xC8Sets the cursor position and presses a mouse button.
0xC9Takes a screenshot of the current screen.
0xCCObtains the trojan execution log file.
0xCEObtains the path and properties of the trojan execution log file.
0xCFDeletes the specified trojan execution log.
0xD0Obtains the specified trojan execution log.
0xD3Obtains information about login via a specified browser.
0xD4Obtains information about login via a specified browser.
0xD5Obtains the Pidgin account profile.
0xD6Obtains the Pidgin account profile.
0xD7Obtains the default Outlook profile.
0xD8Obtains the default Outlook profile.
0xD9Forwards traffic to the specified address.
0xDFObtains the name and properties of files in the specified directory.
0xE2Stops directory traversal.
0xE3Compresses a specified file or directory.
0xE4Obtains network information of the controlled host.
0xE5Obtains traversal information of a specified registry key.
0xE7Performs registry-related operations, such as creating or deleting a registry key or assigning a value to such a key.
0xE8Obtains system information of the controlled end.

Event Impact

Our correlative data shows that the malicious domain name used in this event released the NetWire trojan as early as October 2019 and the web disk link used in this event has been available for two weeks since it was discovered on February 26, 2020. In addition, NetWire has delivered 25 web disk links in this year alone, including the ones that are still accessible today as they were on January 9. All of these prove the longevity of NetWire.

Arguably, the spread of the COVID-19-themed decoy files marks a new activity period for NetWire and the group behind it. Due to long-lived attack chains of NetWire, email users will be exposed to the threat of this trojan for quite a long time.