With the outbreak of the COVID-19 pandemic around the world, trending hashtags related to the epidemic are flooding social media, attracting attention of a number of international hacker organizations, which jump at the chance to conduct social engineering based on decoy messages.
Recently, NSFCOUS found that NetWire controllers began to drop the trojan with the aid of decoy files concerning COVID-19.
NetWire, also known as NetWireRC or Recam, is a remote access trojan that was first spotted in 2012. It was used by Nigerian hackers to target enterprises. Over the years, the ever-evolving NetWire has given birth to multiple kill chains. Since 2019, this trojan has experienced a period of booming growth, spreading wildly via phishing emails and web disks.
Overview
Some NetWire samples captured by NSFOCUS recently are found to contain COVID-19-related information for social engineering campaigns.
A victim will see the following content when opening an attachment in a malicious email:
The preceding figure shows the global distribution of the COVID-19 virus, with geographical errors.
In fact, this file contains a Microsoft Office Equation vulnerability (CVE-2017-11882) which could be exploited to download and execute a malicious program, leading to NetWire execution on the victim’s host.
The following figure shows NetWire’s attack process:
First, the bait Rich Text Format (RTF) file runs to obtain the address of stage 2 payload via a short URL. Then, the payload will be downloaded and executed, injecting the decrypted strings and shellcode into a Windows program, ieinstal.exe, for execution. After that, the shellcode will access Google Drive and download NetWire to memory for execution. Finally, the NetWire variant will connect to the command and control (C&C) server with the IP address of 79.137.*.103.
Virus Analysis
RTF File
This decoy file contains highly obfuscated RTF code that could trigger the CVE-2017-11882 vulnerability.
After the vulnerability is triggered, the program will jump to shellcode which uses the common idea of GlobalLock to determine the position of the OLE stream object. After that, the program jumps to stage 2 shellcode in the object. Also, the stage 2 shellcode is highly obfuscated.
Finally, the malicious shellcode included in the decoy document downloads and executes the contents indicated in the short URL, bit.ly/2TxW (currently parsed into hxxp://www.asim.com/new/Notepad.txt), before displaying the global COVID-19 map (a JPEG image) in the RTF document with Word.
Notepad.txt
The stage 2 payload, Notepad.txt, that is downloaded and executed by the malicious RTF file is a Visual Basic (VB) program. This program is mainly used to start and inject shellcode and decrypted configurations of the string type into the Windows program, ieinstal.exe.
ieinstal.exe, upon execution, will first create the USER\Bagtaler4\ directory, then move the main body of the malicious program to this directory and name it Samipat8.exe, and finally create an autostart registry key to ensure persistence.
After that, the malicious program will visit the hard-coded address, hxxps://drive.google.com/uc?export=download&id=1kFK*Jz90, to download, decrypt, and execute NetWire, the payload in the final stage.
The following function is used during decryption:
The decryption logic applied here is XOR decryption with a long key which is provided by shellcode. The long key in question has a length of 0x24A bytes consisting of a repeated key of 0x100 bytes. The long key is shown as follows:
076C3D0F54873230F1AE34A2E026CB21DCF06F35280A6456C631AAC7B4EEFD46B0B7E516FC8DDA379AF9DDA94471746B843A183BD1110D5C6E7C53CE19F4A64D58BD4A60A5D83F8142FF85F3ED771C722D41C042795BB5A71782FBD4C1FB4E9701C4F2674DDEE888EB062EFA95C2C5BCD547698C22625EADBFCDA41F6A45F79EA90E9BB1F6E590D24F50D6003EC829C33A921193CAAC06B424D30825124C9FE80E1543B89E2F38D9F8577F4BE6CFD2C9E298BADD2FB3AFFECCDAB12CBB5248EFB61BECBE0336E1DFA0A127518F197A148BE31EE4D7B9130575245976639DF0F55F669409AB3C892A49A8D09C3720231A33E9C7EA8004BC0B1D2B027D0CA35540076C3D0F54873230F1AE34A2E026CB21DCF06F35280A6456C631AAC7B4EEFD46B0B7E516FC8DDA379AF9DDA94471746B843A183BD1110D5C6E7C53CE19F4A64D58BD4A60A5D83F8142FF85F3ED771C722D41C042795BB5A71782FBD4C1FB4E9701C4F2674DDEE888EB062EFA95C2C5BCD547698C22625EADBFCDA41F6A45F79EA90E9BB1F6E590D24F50D6003EC829C33A921193CAAC06B424D30825124C9FE80E1543B89E2F38D9F8577F4BE6CFD2C9E298BADD2FB3AFFECCDAB12CBB5248EFB61BECBE0336E1DFA0A127518F197A148BE31EE4D7B9130575245976639DF0F55F669409AB3C892A49A8D09C3720231A33E9C7EA8004BC0B1D2B027D0CA35540076C3D0F54873230F1AE34A2E026CB21DCF06F35280A6456C631AAC7B4EEFD46B0B7E516FC8DDA379AF9DDA94471746B843A183BD1110D5C6E7C53CE19F4A64D58BD4A60A5D83F8142FFNetWire
Finally, the injected ieinstal program will load NetWire in memory.
This trojan connects to 9.137.*.103:39561, the address of a C&C server, and their communications follow the format below:
| 0x00~0x03 | 0x04 | 0x05~ |
| length | cmdbyte | data |
The payload of packets uses the Advanced Encryption Standard (AES) encryption. The encryption key and initialization vector (IV) will be generated randomly during the initialization of the trojan and will be passed to the C&C server during the first round of communication.
As shown in the preceding figure, the 32-byte key is highlighted in the red frame, 16-byte IV in the orange frame, and ciphertext in the green frame whose plaintext is hardcoded in the trojan file.
When receiving the encryption key provided by the trojan, the C&C server encrypts the payload with the key before conducting subsequent communications with the trojan.
The NetWire trojan used in this example is a full-fledged one with support for 57 kinds of command used for such actions as file operations, process operations, window operations, registry operations, reverse shell, traffic forwarding, input simulation, and user credential theft. The following table lists the directives supported by this trojan:
| 0x97 | Obtains the frontend window name and standby time of the controlled end (heartbeat message). |
| 0x9B | Obtains information about the controlled end, including the user name, computer name, and operating system version. |
| 0x9C | Runs the specified program in the Temp directory. |
| 0x9D | Executes the specified command line. |
| 0x9F | Exits the programs (disabling the communication with the C&C server, releasing the mutex, and killing the process). |
| 0xA0 | Disables the communication with the C&C server and enters the standby state. |
| 0xA1 | Cleans the registry and exits the program. |
| 0xA2 | Updates the registry key for NetWire. |
| 0xA3 | Downloads the program from a specific URL to the Temp directory and executes it. |
| 0xA4 | Obtains disk information. |
| 0xA6 | Obtains the time information of files in the specified directory. |
| 0xA8 | Obtains the properties and size of files in the specified directory. |
| 0xAA | Terminates the directory traversal thread. |
| 0xAB | Obtains contents of a specified file. |
| 0xAC | Writes into a marked file. |
| 0xAD | Closes a marked file. |
| 0xAE | Copies a file. |
| 0xAF | Executes the specified command line in the main thread. |
| 0xB0 | Moves a file. |
| 0xB1 | Deletes a file. |
| 0xB2 | Creates a folder. |
| 0xB3 | Deletes a file or a folder. |
| 0xB4 | Obtains the name and properties of files in the specified directory. |
| 0xB5 | Closes a marked file. |
| 0xB6 | Creates reverse shell. |
| 0xB7 | Writes reverse shell. |
| 0xB8 | Closes reverse shell. |
| 0xBA | Obtains details of the controlled end, including the processor, memory, and token. |
| 0xBC | Obtains information about all login sessions. |
| 0xBE | Obtains the process list and related information. |
| 0xC0 | Terminates the specified process. |
| 0xC1 | Obtains the window list. |
| 0xC2 | Performs window-related operations that are specified with the instruction code: 1. Closes a window. 2. Hides a window. 3. Displays a window. 4. Sets the window title. |
| 0xC3 | Downloads the program from a specific URL to the specified directory and executes it. |
| 0xC5 | Simulates keyup. |
| 0xC6 | Simulates keydown. |
| 0xC7 | Releases a mouse button. |
| 0xC8 | Sets the cursor position and presses a mouse button. |
| 0xC9 | Takes a screenshot of the current screen. |
| 0xCC | Obtains the trojan execution log file. |
| 0xCE | Obtains the path and properties of the trojan execution log file. |
| 0xCF | Deletes the specified trojan execution log. |
| 0xD0 | Obtains the specified trojan execution log. |
| 0xD3 | Obtains information about login via a specified browser. |
| 0xD4 | Obtains information about login via a specified browser. |
| 0xD5 | Obtains the Pidgin account profile. |
| 0xD6 | Obtains the Pidgin account profile. |
| 0xD7 | Obtains the default Outlook profile. |
| 0xD8 | Obtains the default Outlook profile. |
| 0xD9 | Forwards traffic to the specified address. |
| 0xDF | Obtains the name and properties of files in the specified directory. |
| 0xE2 | Stops directory traversal. |
| 0xE3 | Compresses a specified file or directory. |
| 0xE4 | Obtains network information of the controlled host. |
| 0xE5 | Obtains traversal information of a specified registry key. |
| 0xE7 | Performs registry-related operations, such as creating or deleting a registry key or assigning a value to such a key. |
| 0xE8 | Obtains system information of the controlled end. |
Event Impact
Our correlative data shows that the malicious domain name used in this event released the NetWire trojan as early as October 2019 and the web disk link used in this event has been available for two weeks since it was discovered on February 26, 2020. In addition, NetWire has delivered 25 web disk links in this year alone, including the ones that are still accessible today as they were on January 9. All of these prove the longevity of NetWire.
Arguably, the spread of the COVID-19-themed decoy files marks a new activity period for NetWire and the group behind it. Due to long-lived attack chains of NetWire, email users will be exposed to the threat of this trojan for quite a long time.
