Seth GoodwinSalim Bitam

NETWIRE Dynamic Configuration Extraction

A tool for the dynamic extraction of NETWIRE configurations based on emulation.

NETWIRE Dynamic Configuration Extraction

Key takeaways

  • NETWIRE has shown an increase in prevalence over the last year
  • Elastic Security Labs created an extractor to pull out configuration data from NETWIRE files and memory dumps targeting the functions the malware uses to extract its encrypted data
  • The NETWIRE extractor is freely available for download

To download the NETWIRE configuration extractor, check out our post on the tool:

Preamble

NETWIRE is a Remote Access Tool (RAT) that has been used since at least 2014. It is a publicly available commodity malware and has been observed being used by financially motivated and nation-state actors.

In the second half of 2022, we noticed an uptick in the prevalence of NETWIRE usage in our telemetry data. This prompted the Elastic Security Labs team to develop a configuration extractor to assist the security community in collecting atomic indicators within the configurations. Using this extractor will support threat tracking and improve detection, prevention, and response times.

Extractor

The NETWIRE RAT uses the RC4 symmetric encryption algorithm to protect its configuration which is encrypted in the .data section along with the 16 bytes long RC4 decryption key.

While reversing our samples the analysts noticed that for both the crypto::rc4_init_sbox and crypto::rc4_decrypt functions the second argument (#2 in the image below) is always a memory address for the desired encrypted configuration value, and the third argument (#3) is an immediate value written to the memory stack before the call which represents the size of the encrypted string.

It was also noted that the function calls are one after the other. This is important to allow us to structure the extractor to look for these functions sequentially.

With $key (from the above image) in mind, we created YARA rules to identify the location of the key and encrypted configuration values.

![YARA rule section that identifies the key and encrypted configuration](/assets/images/netwire-dynamic-configuration-extraction/image5.jpg

With this information we can then use Capstone to:

  1. Locate the function responsible for decrypting the configuration using YARA.

  2. Disassemble the function using Capstone.

  3. Extract the RC4 key address and the encrypted configuration field addresses.

  4. Extract the size of the configuration field.

  5. RC4 decrypt the encrypted fields and rebuild the configuration.

![RC4 decrypting the configuration](/assets/images/netwire-dynamic-configuration-extraction/image5.jpg

Once we have recreated the configuration, we can use the extractor to pull out several parameters used by NETWIRE, as well as a few basic file characteristics:

  • Active Setup Key : Active Setup registry key to achieve persistence.
  • C2 IP list : List of command and control (C2) server domains or IP addresses.
  • Host ID : A unique identifier that is assigned to the infected machine.
  • Installation path : The location where the malware will be installed.
  • Keylogger logs directory : The location where the keylogging log file will be stored.
  • Mutex : Mutex name, to create a synchronization object to ensure only one instance of the sample is running on the machine.
  • Password : Static password to generate AES key used for encrypting the communication between the malware and the C2 server.
  • Run registry key entry : Name of the entry in the run registry, used for persistence.
  • Sleep in seconds : The amount of time the malware sleeps.

The configuration extractor accepts four parameters:

  • -f : to specify a single NETWIRE sample
  • -d : To specify a directory of NETWIRE samples
  • -o : To write the configuration in JSON format to the specified file
  • --all-config : To print the unparsed raw decrypted configuration

Analysis

We’ve used this extractor to examine a set of samples from the previous 180 days to extract indicators for further enrichment and analysis.

Our initially collected batch of samples came as a mixture of executable files and memory dumps. The extractor will only work on unmapped files, so the dumps which were already mapped were run through pe_unmapper.

When extracting a payload from memory, we are obtaining a memory-mapped version of it. This means that the "Raw Address" and "Raw Size" may not be correctly aligned with the correct section’s data. To correctly align the PE file, it is necessary to adjust the pointer to the raw address so that it matches the virtual address for every section.

Now we can run the configuration extractor with Poetry against our directory of unmapped binaries:

**poetry lock**
**poetry install**
**poetry shell**
**netwire-config-extractor -d sample-dir/ -o output.ndjson**

This file, output.ndjson , can then be uploaded to Kibana for further analysis.

Check out the Elastic Container project to quick spin up an Elastic Stack and start analyzing structured security-relevant data.

Next time you run into a NETWIRE sample, run it through our configuration extractor to pull out other indicators to help you on your analytic journey or begin remediating quicker.

Detection

YARA

These YARA rules can used to detect and identify NETWIRE RAT.

rule Windows_Trojan_Netwire_1 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a = { 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C }
   condition:
       all of them
}
rule Windows_Trojan_Netwire_2 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a1 = "[%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword
       $a2 = "\\Login Data"
       $a3 = "SOFTWARE\\NetWire" fullword
   condition:
       2 of them
}
rule Windows_Trojan_Netwire_3 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a = { C9 0F 44 C8 D0 EB 8A 44 24 12 0F B7 C9 75 D1 32 C0 B3 01 8B CE 88 44 }
   condition:
       all of them
}
rule Windows_Trojan_Netwire_4 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a1 = "http://%s%ComSpec" ascii fullword
       $a2 = "%c%.8x%s" ascii fullword
       $a3 = "%6\\6Z65dlNh\\YlS.dfd" ascii fullword
       $a4 = "GET %s HTTP/1.1" ascii fullword
       $a5 = "R-W65: %6:%S" ascii fullword
       $a6 = "PTLLjPq %6:%S -qq9/G.y" ascii fullword
   condition:
       4 of them
}

Indicators

All indicators are also available for download in both ECS and STIX format in a combined zip bundle.

The following indicators were discussed in this research.

IndicatorTypeNote
139.28.38[.]235ipv4-addrNETWIRE RAT C2
149.102.132[.]253ipv4-addrNETWIRE RAT C2
184.75.221[.]115ipv4-addrNETWIRE RAT C2
185.136.165[.]182ipv4-addrNETWIRE RAT C2
185.140.53[.]139ipv4-addrNETWIRE RAT C2
185.140.53[.]144ipv4-addrNETWIRE RAT C2
185.140.53[.]154ipv4-addrNETWIRE RAT C2
185.140.53[.]61ipv4-addrNETWIRE RAT C2
185.216.71[.]251ipv4-addrNETWIRE RAT C2
194.36.111[.]59ipv4-addrNETWIRE RAT C2
194.5.98[.]126ipv4-addrNETWIRE RAT C2
194.5.98[.]178ipv4-addrNETWIRE RAT C2
194.5.98[.]188ipv4-addrNETWIRE RAT C2
194.5.98[.]65ipv4-addrNETWIRE RAT C2
212.193.29[.]37ipv4-addrNETWIRE RAT C2
212.193.30[.]230ipv4-addrNETWIRE RAT C2
213.152.161[.]249ipv4-addrNETWIRE RAT C2
217.151.98[.]163ipv4-addrNETWIRE RAT C2
23.105.131[.]166ipv4-addrNETWIRE RAT C2
37.0.14[.]199ipv4-addrNETWIRE RAT C2
37.0.14[.]203ipv4-addrNETWIRE RAT C2
37.0.14[.]206ipv4-addrNETWIRE RAT C2
37.0.14[.]208ipv4-addrNETWIRE RAT C2
37.0.14[.]214ipv4-addrNETWIRE RAT C2
37.120.217[.]243ipv4-addrNETWIRE RAT C2
51.161.104[.]138ipv4-addrNETWIRE RAT C2
54.145.6[.]146ipv4-addrNETWIRE RAT C2
80.66.64[.]136ipv4-addrNETWIRE RAT C2
85.209.134[.]105ipv4-addrNETWIRE RAT C2
85.31.46[.]78ipv4-addrNETWIRE RAT C2
94.156.35[.]40ipv4-addrNETWIRE RAT C2
20220627.duckdns[.]orgdomain-nameNETWIRE RAT C2
admin96.hopto[.]orgdomain-nameNETWIRE RAT C2
alice2019.myftp[.]bizdomain-nameNETWIRE RAT C2
asorock1111.ddns[.]netdomain-nameNETWIRE RAT C2
banqueislamik.ddrive[.]onlinedomain-nameNETWIRE RAT C2
betterday.duckdns[.]orgdomain-nameNETWIRE RAT C2
bigman2021.duckdns[.]orgdomain-nameNETWIRE RAT C2
blazeblaze.ddns[.]netdomain-nameNETWIRE RAT C2
chongmei33.myddns[.]rocksdomain-nameNETWIRE RAT C2
clients.enigmasolutions[.]xyzdomain-nameNETWIRE RAT C2
gracedynu.gleeze[.]comdomain-nameNETWIRE RAT C2
ingobea.hopto[.]orgdomain-nameNETWIRE RAT C2
iphanyi.edns[.]bizdomain-nameNETWIRE RAT C2
iphy.strangled[.]netdomain-nameNETWIRE RAT C2
kimlee11.duckdns[.]orgdomain-nameNETWIRE RAT C2
loffgghh.duckdns[.]orgdomain-nameNETWIRE RAT C2
megaton.gleeze[.]comdomain-nameNETWIRE RAT C2
moran101.duckdns[.]orgdomain-nameNETWIRE RAT C2
netuwaya.servecounterstrike[.]comdomain-nameNETWIRE RAT C2
nowancenorly.ddns[.]netdomain-nameNETWIRE RAT C2
podzeye.duckdns[.]orgdomain-nameNETWIRE RAT C2
podzeye2.duckdns[.]orgdomain-nameNETWIRE RAT C2
recoveryonpoint.duckdns[.]orgdomain-nameNETWIRE RAT C2
redlinea[.]topdomain-nameNETWIRE RAT C2
roller.duckdns[.]orgdomain-nameNETWIRE RAT C2
rozayleekimishere.duckdns[.]orgdomain-nameNETWIRE RAT C2
sani990.duckdns[.]orgdomain-nameNETWIRE RAT C2
saturdaylivecheckthisout.duckdns[.]orgdomain-nameNETWIRE RAT C2
uhie.hopto[.]orgdomain-nameNETWIRE RAT C2
uhie2020.duckdns[.]orgdomain-nameNETWIRE RAT C2
wcbradley.duckdns[.]orgdomain-nameNETWIRE RAT C2
xman2.duckdns[.]orgdomain-nameNETWIRE RAT C2
zonedx.ddns[.]netdomain-nameNETWIRE RAT C2