NETWIRE

Malware updated 4 months ago (2024-05-04T17:56:53.606Z)

Download STIX

Preview STIX

NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing attacks, Business Email Compromise (BEC) campaigns, and corporate network breaches. The malware can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. NetWire has also been linked with other malware such as Formbook, AveMaria, Agent Tesla, and more. GuLoader, which was first used to download Parallax RAT, has been applied to other RATs and info-stealers including NetWire, demonstrating its versatility. The malware has also been associated with TA2541, a threat actor group known to favor AsyncRAT among other popular RATs like WSH RAT and Parallax. In some instances, NetWire binaries were found signed with a stolen certificate, further complicating detection and mitigation efforts. Canadian cybersecurity firm eSentire has documented campaigns showing the use of drive-by download methods, directing users to dubious websites to propagate malware families like NetWire, DarkGate, and DanaBot. However, in a significant blow to the operation, an international law enforcement effort involving the FBI and global police agencies led to the arrest of the suspected administrator of the NetWire RAT. This resulted in the seizure of the service's web domain and hosting server, disrupting its distribution and operation. Despite this setback, NetWire remains a potent threat due to its wide usage and adaptability across different malware families. Continued vigilance and robust cybersecurity measures are essential to protect against such threats.

Description last updated: 2024-05-04T16:11:59.210Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rat

Trojan

Payload

Windows

Fraud

Remcos

Fbi

Cybercrime

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Agent Tesla	Unspecified	2	Agent Tesla is a type of malware, or malicious software, that exploits and damages computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold d
Agenttesla	Unspecified	2	AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
Formbook	Unspecified	2	Formbook is a type of malware, short for malicious software, designed to exploit and damage computers or devices. It was first discovered in 2016 and has since been used in various cyber attacks worldwide. The malware can infect systems through suspicious downloads, emails, or websites, often withou
Avemaria/warzonerat	Unspecified	2	None
AsyncRAT	Unspecified	2	AsyncRAT is a form of malware, malicious software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once installed, it can steal personal information, disrupt operations, or even hold data hostage
Lokibot	Unspecified	2	LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
GuLoader	Unspecified	2	GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
Raccoon	Unspecified	2	Raccoon is a type of malware, specifically an infostealer, used predominantly by the Scattered Spider threat actors to obtain login credentials, browser cookies, and histories. This malicious software, which is sold as Malware-as-a-Service (MaaS) on dark web forums, is both effective and inexpensive
Redline	Unspecified	2	RedLine is a notorious malware that has been widely used by cybercriminals to steal sensitive information. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can cause significant damage by stealing personal data or disrupting operations. RedLine's conf
Xworm	Unspecified	2	XWorm is a multifaceted malware that has been observed to exploit vulnerabilities in ScreenConnect, a remote access software. This malware provides threat actors with remote access capabilities and the potential to spread across networks, exfiltrate sensitive data, and download additional payloads.

Source Document References

Information about the NETWIRE Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	The law enforcement operations targeting cybercrime in 2023
MITRE	9 months ago	TA2541: Threats to Aviation, Aerospace, & Travel \| Proofpoint US
CERT-EU	10 months ago	Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
CERT-EU	a year ago	Threat Roundup for October 13 to October 20
CERT-EU	10 months ago	Police Shut Down BulletProftLink Phishing-as-a-Service Operation
CERT-EU	10 months ago	New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers
CERT-EU	a year ago	DotRunpeX Malware Injector Widely Delivers Known Malware Families to Attack Windows
CERT-EU	a year ago	Suspected OPERA1ER hacking group member arrested
CERT Polska	2 years ago	MadProtect, not that mad
CERT-EU	a year ago	May 2023's Most Wanted Malware : New Version of Guloader Delivers Encrypted Cloud-Based Payloads – Global Security Mag Online
CERT-EU	a year ago	Most Wanted : Classement Top Malware Check Point – Mai 2023 \| UnderNews
MITRE	2 years ago	Behind the CARBANAK Backdoor \| Mandiant
MITRE	2 years ago	GuLoader: Malspam Campaign Installing NetWire RAT
MITRE	2 years ago	Lokibot with Autoit Obfuscated Frenchy Shellcode
InfoSecurity-magazine	a year ago	Global Cops Take Down NetWire RAT
CERT-EU	a year ago	FBI and international cops catch a NetWire RAT
Krebs on Security	a year ago	Who’s Behind the NetWire Remote Access Trojan?
CERT-EU	a year ago	NetWire Malware Site and Server Seized, Admin Arrested
Flashpoint	a year ago	COURT DOC: Federal Authorities Seize Internet Domain Selling Malware Used to Illegally Control and Steal Data from Victims’ Computers
CERT-EU	a year ago	Microsoft OneNote Announces Enhanced Security After Phishing Attacks