S0198 NETWIRE
NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.321
| Item | Value |
|---|---|
| ID | S0198 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.5 |
| Created | 18 April 2018 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | NETWIRE has the ability to communicate over HTTP.46 |
| enterprise | T1010 | Application Window Discovery | NETWIRE can discover and close windows on controlled systems.4 |
| enterprise | T1560 | Archive Collected Data | NETWIRE has the ability to compress archived screenshots.4 |
| enterprise | T1560.003 | Archive via Custom Method | NETWIRE has used a custom encryption algorithm to encrypt collected data.5 |
| enterprise | T1119 | Automated Collection | NETWIRE can automatically archive collected data.4 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | NETWIRE creates a Registry start-up entry to establish persistence.2476 |
| enterprise | T1547.013 | XDG Autostart Entries | NETWIRE can use XDG Autostart Entries to establish persistence.4 |
| enterprise | T1547.015 | Login Items | NETWIRE can persist via startup options for Login items.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | The NETWIRE binary has been executed via PowerShell script.5 |
| enterprise | T1059.003 | Windows Command Shell | NETWIRE can issue commands using cmd.exe.46 |
| enterprise | T1059.004 | Unix Shell | NETWIRE has the ability to use /bin/bash and /bin/sh to execute commands.46 |
| enterprise | T1059.005 | Visual Basic | NETWIRE has been executed through use of VBScripts.56 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | NETWIRE can use launch agents for persistence.4 |
| enterprise | T1555 | Credentials from Password Stores | NETWIRE can retrieve passwords from messaging and mail client applications.4 |
| enterprise | T1555.003 | Credentials from Web Browsers | NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.546 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | NETWIRE has the ability to write collected data to a file created in the ./LOGS directory.5 |
| enterprise | T1573 | Encrypted Channel | NETWIRE can encrypt C2 communications.4 |
| enterprise | T1573.001 | Symmetric Cryptography | NETWIRE can use AES encryption for C2 data transferred.4 |
| enterprise | T1083 | File and Directory Discovery | NETWIRE has the ability to search for files on the compromised host.6 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | NETWIRE can copy itself to and launch itself from hidden folders.4 |
| enterprise | T1105 | Ingress Tool Transfer | NETWIRE can downloaded payloads from C2 to the compromised host.56 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | NETWIRE can perform keylogging.21546 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.001 | Invalid Code Signature | The NETWIRE client has been signed by fake and invalid digital certificates.2 |
| enterprise | T1036.005 | Match Legitimate Name or Location | NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.4 |
| enterprise | T1112 | Modify Registry | NETWIRE can modify the Registry to store its configuration information.4 |
| enterprise | T1106 | Native API | NETWIRE can use Native API including CreateProcess GetProcessById, and WriteProcessMemory.5 |
| enterprise | T1095 | Non-Application Layer Protocol | NETWIRE can use TCP in C2 communications.47 |
| enterprise | T1027 | Obfuscated Files or Information | NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.5 |
| enterprise | T1027.002 | Software Packing | NETWIRE has used .NET packer tools to evade detection.4 |
| enterprise | T1027.011 | Fileless Storage | NETWIRE can store its configuration information in the Registry under HKCU:\Software\Netwire.4 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | NETWIRE has been spread via e-mail campaigns utilizing malicious attachments.76 |
| enterprise | T1566.002 | Spearphishing Link | NETWIRE has been spread via e-mail campaigns utilizing malicious links.7 |
| enterprise | T1057 | Process Discovery | NETWIRE can discover processes on compromised hosts.5 |
| enterprise | T1055 | Process Injection | NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe.4 |
| enterprise | T1055.012 | Process Hollowing | The NETWIRE payload has been injected into benign Microsoft executables via process hollowing.54 |
| enterprise | T1090 | Proxy | NETWIRE can implement use of proxies to pivot traffic.4 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | NETWIRE can use crontabs to establish persistence.4 |
| enterprise | T1053.005 | Scheduled Task | NETWIRE can create a scheduled task to establish persistence.5 |
| enterprise | T1113 | Screen Capture | NETWIRE can capture the victim’s screen.2546 |
| enterprise | T1082 | System Information Discovery | NETWIRE can discover and collect victim system information.2 |
| enterprise | T1016 | System Network Configuration Discovery | NETWIRE can collect the IP address of a compromised host.46 |
| enterprise | T1049 | System Network Connections Discovery | NETWIRE can capture session logon details from a compromised host.5 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | NETWIRE has been executed through convincing victims into clicking malicious links.57 |
| enterprise | T1204.002 | Malicious File | NETWIRE has been executed through luring victims into opening malicious documents.576 |
| enterprise | T1102 | Web Service | NETWIRE has used web services including Paste.ee to host payloads.5 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 | 31 |
| G0083 | SilverTerrier | 8 |
| G0089 | The White Company | 9 |
References
-
Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. ↩↩↩
-
McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018. ↩↩↩↩↩↩
-
O’Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. ↩↩
-
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021. ↩↩↩↩↩↩
-
Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018. ↩
-
Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. ↩