Skip to content

S0198 NETWIRE

NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.321

Item Value
ID S0198
Associated Names
Type MALWARE
Version 1.5
Created 18 April 2018
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols NETWIRE has the ability to communicate over HTTP.46
enterprise T1010 Application Window Discovery NETWIRE can discover and close windows on controlled systems.4
enterprise T1560 Archive Collected Data NETWIRE has the ability to compress archived screenshots.4
enterprise T1560.003 Archive via Custom Method NETWIRE has used a custom encryption algorithm to encrypt collected data.5
enterprise T1119 Automated Collection NETWIRE can automatically archive collected data.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder NETWIRE creates a Registry start-up entry to establish persistence.2476
enterprise T1547.013 XDG Autostart Entries NETWIRE can use XDG Autostart Entries to establish persistence.4
enterprise T1547.015 Login Items NETWIRE can persist via startup options for Login items.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell The NETWIRE binary has been executed via PowerShell script.5
enterprise T1059.003 Windows Command Shell NETWIRE can issue commands using cmd.exe.46
enterprise T1059.004 Unix Shell NETWIRE has the ability to use /bin/bash and /bin/sh to execute commands.46
enterprise T1059.005 Visual Basic NETWIRE has been executed through use of VBScripts.56
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent NETWIRE can use launch agents for persistence.4
enterprise T1555 Credentials from Password Stores NETWIRE can retrieve passwords from messaging and mail client applications.4
enterprise T1555.003 Credentials from Web Browsers NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.546
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging NETWIRE has the ability to write collected data to a file created in the ./LOGS directory.5
enterprise T1573 Encrypted Channel NETWIRE can encrypt C2 communications.4
enterprise T1573.001 Symmetric Cryptography NETWIRE can use AES encryption for C2 data transferred.4
enterprise T1083 File and Directory Discovery NETWIRE has the ability to search for files on the compromised host.6
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories NETWIRE can copy itself to and launch itself from hidden folders.4
enterprise T1105 Ingress Tool Transfer NETWIRE can downloaded payloads from C2 to the compromised host.56
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging NETWIRE can perform keylogging.21546
enterprise T1036 Masquerading -
enterprise T1036.001 Invalid Code Signature The NETWIRE client has been signed by fake and invalid digital certificates.2
enterprise T1036.005 Match Legitimate Name or Location NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.4
enterprise T1112 Modify Registry NETWIRE can modify the Registry to store its configuration information.4
enterprise T1106 Native API NETWIRE can use Native API including CreateProcess GetProcessById, and WriteProcessMemory.5
enterprise T1095 Non-Application Layer Protocol NETWIRE can use TCP in C2 communications.47
enterprise T1027 Obfuscated Files or Information NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.5
enterprise T1027.002 Software Packing NETWIRE has used .NET packer tools to evade detection.4
enterprise T1027.011 Fileless Storage NETWIRE can store its configuration information in the Registry under HKCU:\Software\Netwire.4
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment NETWIRE has been spread via e-mail campaigns utilizing malicious attachments.76
enterprise T1566.002 Spearphishing Link NETWIRE has been spread via e-mail campaigns utilizing malicious links.7
enterprise T1057 Process Discovery NETWIRE can discover processes on compromised hosts.5
enterprise T1055 Process Injection NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe.4
enterprise T1055.012 Process Hollowing The NETWIRE payload has been injected into benign Microsoft executables via process hollowing.54
enterprise T1090 Proxy NETWIRE can implement use of proxies to pivot traffic.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron NETWIRE can use crontabs to establish persistence.4
enterprise T1053.005 Scheduled Task NETWIRE can create a scheduled task to establish persistence.5
enterprise T1113 Screen Capture NETWIRE can capture the victim’s screen.2546
enterprise T1082 System Information Discovery NETWIRE can discover and collect victim system information.2
enterprise T1016 System Network Configuration Discovery NETWIRE can collect the IP address of a compromised host.46
enterprise T1049 System Network Connections Discovery NETWIRE can capture session logon details from a compromised host.5
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link NETWIRE has been executed through convincing victims into clicking malicious links.57
enterprise T1204.002 Malicious File NETWIRE has been executed through luring victims into opening malicious documents.576
enterprise T1102 Web Service NETWIRE has used web services including Paste.ee to host payloads.5

Groups That Use This Software

ID Name References
G0064 APT33 31
G0083 SilverTerrier 8
G0089 The White Company 9

References