Seth GoodwinSalim Bitam

NETWIRE Dynamic Configuration Extraction

A tool for the dynamic extraction of NETWIRE configurations based on emulation.

Extracción de configuración dinámica de NETWIRE

Conclusiones clave

  • NETWIRE has shown an increase in prevalence over the last year
  • Elastic Security Labs created an extractor to pull out configuration data from NETWIRE files and memory dumps targeting the functions the malware uses to extract its encrypted data
  • The NETWIRE extractor is freely available for download

To download the NETWIRE configuration extractor, check out our post on the tool:

Preámbulo

NETWIRE is a Remote Access Tool (RAT) that has been used since at least 2014. It is a publicly available commodity malware and has been observed being used by financially motivated and nation-state actors.

In the second half of 2022, we noticed an uptick in the prevalence of NETWIRE usage in our telemetry data. This prompted the Elastic Security Labs team to develop a configuration extractor to assist the security community in collecting atomic indicators within the configurations. Using this extractor will support threat tracking and improve detection, prevention, and response times.

Extractor

The NETWIRE RAT uses the RC4 symmetric encryption algorithm to protect its configuration which is encrypted in the .data section along with the 16 bytes long RC4 decryption key.

While reversing our samples the analysts noticed that for both the crypto::rc4_init_sbox and crypto::rc4_decrypt functions the second argument (#2 in the image below) is always a memory address for the desired encrypted configuration value, and the third argument (#3) is an immediate value written to the memory stack before the call which represents the size of the encrypted string.

It was also noted that the function calls are one after the other. This is important to allow us to structure the extractor to look for these functions sequentially.

With $key (from the above image) in mind, we created YARA rules to identify the location of the key and encrypted configuration values.

![YARA rule section that identifies the key and encrypted configuration](/assets/images/netwire-dynamic-configuration-extraction/image5.jpg

With this information we can then use Capstone to:

  1. Locate the function responsible for decrypting the configuration using YARA.

  2. Disassemble the function using Capstone.

  3. Extract the RC4 key address and the encrypted configuration field addresses.

  4. Extract the size of the configuration field.

  5. RC4 decrypt the encrypted fields and rebuild the configuration.

![RC4 decrypting the configuration](/assets/images/netwire-dynamic-configuration-extraction/image5.jpg

Once we have recreated the configuration, we can use the extractor to pull out several parameters used by NETWIRE, as well as a few basic file characteristics:

  • Active Setup Key : Active Setup registry key to achieve persistence.
  • C2 IP list : List of command and control (C2) server domains or IP addresses.
  • Host ID : A unique identifier that is assigned to the infected machine.
  • Installation path : The location where the malware will be installed.
  • Keylogger logs directory : The location where the keylogging log file will be stored.
  • Mutex : Mutex name, to create a synchronization object to ensure only one instance of the sample is running on the machine.
  • Password : Static password to generate AES key used for encrypting the communication between the malware and the C2 server.
  • Run registry key entry : Name of the entry in the run registry, used for persistence.
  • Sleep in seconds : The amount of time the malware sleeps.

The configuration extractor accepts four parameters:

  • -f : to specify a single NETWIRE sample
  • -d : To specify a directory of NETWIRE samples
  • -o : To write the configuration in JSON format to the specified file
  • --all-config : To print the unparsed raw decrypted configuration

Análisis

We’ve used this extractor to examine a set of samples from the previous 180 days to extract indicators for further enrichment and analysis.

Our initially collected batch of samples came as a mixture of executable files and memory dumps. The extractor will only work on unmapped files, so the dumps which were already mapped were run through pe_unmapper.

When extracting a payload from memory, we are obtaining a memory-mapped version of it. This means that the "Raw Address" and "Raw Size" may not be correctly aligned with the correct section’s data. To correctly align the PE file, it is necessary to adjust the pointer to the raw address so that it matches the virtual address for every section.

Now we can run the configuration extractor with Poetry against our directory of unmapped binaries:

**poetry lock**
**poetry install**
**poetry shell**
**netwire-config-extractor -d sample-dir/ -o output.ndjson**

This file, output.ndjson , can then be uploaded to Kibana for further analysis.

Check out the Elastic Container project to quick spin up an Elastic Stack and start analyzing structured security-relevant data.

Next time you run into a NETWIRE sample, run it through our configuration extractor to pull out other indicators to help you on your analytic journey or begin remediating quicker.

Detección

YARA

These YARA rules can used to detect and identify NETWIRE RAT.

rule Windows_Trojan_Netwire_1 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a = { 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C }
   condition:
       all of them
}
rule Windows_Trojan_Netwire_2 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a1 = "[%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword
       $a2 = "\\Login Data"
       $a3 = "SOFTWARE\\NetWire" fullword
   condition:
       2 of them
}
rule Windows_Trojan_Netwire_3 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a = { C9 0F 44 C8 D0 EB 8A 44 24 12 0F B7 C9 75 D1 32 C0 B3 01 8B CE 88 44 }
   condition:
       all of them
}
rule Windows_Trojan_Netwire_4 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a1 = "http://%s%ComSpec" ascii fullword
       $a2 = "%c%.8x%s" ascii fullword
       $a3 = "%6\\6Z65dlNh\\YlS.dfd" ascii fullword
       $a4 = "GET %s HTTP/1.1" ascii fullword
       $a5 = "R-W65: %6:%S" ascii fullword
       $a6 = "PTLLjPq %6:%S -qq9/G.y" ascii fullword
   condition:
       4 of them
}

Indicadores

All indicators are also available for download in both ECS and STIX format in a combined zip bundle.

The following indicators were discussed in this research.

IndicadorTipoNote
139.28.38[.]235IPv4-ADDRNETWIRE RAT C2
149.102.132[.]253IPv4-ADDRNETWIRE RAT C2
184.75.221[.]115IPv4-ADDRNETWIRE RAT C2
185.136.165[.]182IPv4-ADDRNETWIRE RAT C2
185.140.53[.]139IPv4-ADDRNETWIRE RAT C2
185.140.53[.]144IPv4-ADDRNETWIRE RAT C2
185.140.53[.]154IPv4-ADDRNETWIRE RAT C2
185.140.53[.]61IPv4-ADDRNETWIRE RAT C2
185.216.71[.]251IPv4-ADDRNETWIRE RAT C2
194.36.111[.]59IPv4-ADDRNETWIRE RAT C2
194.5.98[.]126IPv4-ADDRNETWIRE RAT C2
194.5.98[.]178IPv4-ADDRNETWIRE RAT C2
194.5.98[.]188IPv4-ADDRNETWIRE RAT C2
194.5.98[.]65IPv4-ADDRNETWIRE RAT C2
212.193.29[.]37IPv4-ADDRNETWIRE RAT C2
212.193.30[.]230IPv4-ADDRNETWIRE RAT C2
213.152.161[.]249IPv4-ADDRNETWIRE RAT C2
217.151.98[.]163IPv4-ADDRNETWIRE RAT C2
23.105.131[.]166IPv4-ADDRNETWIRE RAT C2
37.0.14[.]199IPv4-ADDRNETWIRE RAT C2
37.0.14[.]203IPv4-ADDRNETWIRE RAT C2
37.0.14[.]206IPv4-ADDRNETWIRE RAT C2
37.0.14[.]208IPv4-ADDRNETWIRE RAT C2
37.0.14[.]214IPv4-ADDRNETWIRE RAT C2
37.120.217[.]243IPv4-ADDRNETWIRE RAT C2
51.161.104[.]138IPv4-ADDRNETWIRE RAT C2
54.145.6[.]146IPv4-ADDRNETWIRE RAT C2
80.66.64[.]136IPv4-ADDRNETWIRE RAT C2
85.209.134[.]105IPv4-ADDRNETWIRE RAT C2
85.31.46[.]78IPv4-ADDRNETWIRE RAT C2
94.156.35[.]40IPv4-ADDRNETWIRE RAT C2
20220627.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
admin96.hopto[.]orgnombre-de-dominioNETWIRE RAT C2
alice2019.myftp[.]biznombre-de-dominioNETWIRE RAT C2
asorock1111.ddns[.]netnombre-de-dominioNETWIRE RAT C2
banqueislamik.ddrive[.]onlinenombre-de-dominioNETWIRE RAT C2
betterday.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
bigman2021.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
blazeblaze.ddns[.]netnombre-de-dominioNETWIRE RAT C2
chongmei33.myddns[.]rocksnombre-de-dominioNETWIRE RAT C2
clients.enigmasolutions[.]xyznombre-de-dominioNETWIRE RAT C2
gracedynu.gleeze[.]comnombre-de-dominioNETWIRE RAT C2
ingobea.hopto[.]orgnombre-de-dominioNETWIRE RAT C2
iphanyi.edns[.]biznombre-de-dominioNETWIRE RAT C2
iphy.strangled[.]netnombre-de-dominioNETWIRE RAT C2
kimlee11.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
loffgghh.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
megaton.gleeze[.]comnombre-de-dominioNETWIRE RAT C2
moran101.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
netuwaya.servecounterstrike[.]comnombre-de-dominioNETWIRE RAT C2
nowancenorly.ddns[.]netnombre-de-dominioNETWIRE RAT C2
podzeye.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
podzeye2.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
recoveryonpoint.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
redlinea[.]topnombre-de-dominioNETWIRE RAT C2
roller.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
rozayleekimishere.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
sani990.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
saturdaylivecheckthisout.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
uhie.hopto[.]orgnombre-de-dominioNETWIRE RAT C2
uhie2020.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
wcbradley.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
xman2.duckdns[.]orgnombre-de-dominioNETWIRE RAT C2
zonedx.ddns[.]netnombre-de-dominioNETWIRE RAT C2