NETWIRE

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing attacks, Business Email Compromise (BEC) campaigns, and corporate network breaches. The malware can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. NetWire has also been linked with other malware such as Formbook, AveMaria, Agent Tesla, and more. GuLoader, which was first used to download Parallax RAT, has been applied to other RATs and info-stealers including NetWire, demonstrating its versatility. The malware has also been associated with TA2541, a threat actor group known to favor AsyncRAT among other popular RATs like WSH RAT and Parallax. In some instances, NetWire binaries were found signed with a stolen certificate, further complicating detection and mitigation efforts. Canadian cybersecurity firm eSentire has documented campaigns showing the use of drive-by download methods, directing users to dubious websites to propagate malware families like NetWire, DarkGate, and DanaBot. However, in a significant blow to the operation, an international law enforcement effort involving the FBI and global police agencies led to the arrest of the suspected administrator of the NetWire RAT. This resulted in the seizure of the service's web domain and hosting server, disrupting its distribution and operation. Despite this setback, NetWire remains a potent threat due to its wide usage and adaptability across different malware families. Continued vigilance and robust cybersecurity measures are essential to protect against such threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Malware
Trojan
Windows
Payload
Remcos
Cybercrime
Fraud
Fbi
Police
Microsoft
Apt
Linux
Shellcode
Spam
Phishing
Sandbox
Skype
Firefox
Chrome
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
RedlineUnspecified
2
RedLine is a notorious malware, discovered in March 2020, designed to exploit computer systems and steal sensitive personal information such as login credentials, cryptocurrency wallets, and financial data. It exports this stolen data to its command-and-control infrastructure. The malware has been u
RaccoonUnspecified
2
Raccoon is a type of malware utilized by the Scattered Spider threat actors to obtain sensitive information such as login credentials, browser cookies, and browser histories. The Raccoon Stealer is particularly notorious for its ability to detect countermeasures and delete records associated with th
XwormUnspecified
2
XWorm is a multifaceted malware that poses a significant threat to computer systems. It provides threat actors with remote access capabilities, allowing them to exploit vulnerabilities in programs such as ScreenConnect client software. Additionally, XWorm has the potential to spread across networks,
Agent TeslaUnspecified
2
Agent Tesla is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates the system often without the user's knowledge via suspicious downloads, emails, or websites, with the capability to steal personal information, disrupt operations, or hold data for
AgentteslaUnspecified
2
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
GuLoaderUnspecified
2
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
FormbookUnspecified
2
Formbook is a type of malware, or malicious software, that can infiltrate your computer or device through suspicious downloads, emails, or websites. Once it has infected a system, it can steal personal information, disrupt operations, and potentially hold data for ransom. The individual behind the R
Avemaria/warzoneratUnspecified
2
None
AsyncRATUnspecified
2
AsyncRAT is a malicious software (malware) that targets computer systems to exploit and damage them, often infiltrating the system without the user's knowledge through suspicious downloads, emails, or websites. The malware operates by loading an executable which unpacks a DLL in memory, subsequently
PrivateloaderUnspecified
1
PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website
VidarUnspecified
1
Vidar is a Windows-based malware written in C++, known as an infostealer due to its ability to steal personal information from infected systems. It has been leveraged by cybercriminals alongside other malicious software like Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoade
DotrunpexUnspecified
1
DotRunpeX is a rapidly evolving and highly stealthy .NET injector malware that has gained significant attention from both security analysts and threat actors. It employs the "Process Hollowing" method to distribute a wide variety of other malware strains, including AgentTesla, ArrowRAT, AsyncRat, Av
win.dropper.nanocore-10011208-0Unspecified
1
None
DarkgateUnspecified
1
DarkGate is a malicious software (malware) known for its harmful impact on computer systems and devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data host
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PasscvUnspecified
1
PassCV is a threat actor, or hacking team, that has been identified as part of the Chinese intelligence apparatus. This group has operated under various names including Winnti, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF, indicating a broad and complex network of cyber operations. The group i
TA2541Unspecified
1
TA2541, a cybercriminal threat actor identified by Proofpoint, has been actively executing malicious actions since January 2017. This group demonstrates persistent and ongoing threat activity, targeting sectors related to aviation, transportation, and travel. Unlike many similar entities, TA2541 doe
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Vidar XwormUnspecified
1
None
Asyncrat Avemaria/warzoneratUnspecified
1
None
Redline RemcosUnspecified
1
None
Source Document References
Information about the NETWIRE Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
The law enforcement operations targeting cybercrime in 2023
MITRE
7 months ago
TA2541: Threats to Aviation, Aerospace, & Travel | Proofpoint US
CERT-EU
8 months ago
Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
CERT-EU
9 months ago
Threat Roundup for October 13 to October 20
CERT-EU
8 months ago
Police Shut Down BulletProftLink Phishing-as-a-Service Operation
CERT-EU
8 months ago
New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers
CERT-EU
a year ago
DotRunpeX Malware Injector Widely Delivers Known Malware Families to Attack Windows
CERT-EU
a year ago
Suspected OPERA1ER hacking group member arrested
CERT Polska
a year ago
MadProtect, not that mad
CERT-EU
a year ago
May 2023's Most Wanted Malware : New Version of Guloader Delivers Encrypted Cloud-Based Payloads – Global Security Mag Online
CERT-EU
a year ago
Most Wanted : Classement Top Malware Check Point – Mai 2023 | UnderNews
MITRE
a year ago
Behind the CARBANAK Backdoor | Mandiant
MITRE
a year ago
GuLoader: Malspam Campaign Installing NetWire RAT
MITRE
a year ago
Lokibot with Autoit Obfuscated Frenchy Shellcode
InfoSecurity-magazine
a year ago
Global Cops Take Down NetWire RAT
CERT-EU
a year ago
FBI and international cops catch a NetWire RAT
Krebs on Security
a year ago
Who’s Behind the NetWire Remote Access Trojan?
CERT-EU
a year ago
NetWire Malware Site and Server Seized, Admin Arrested
Flashpoint
a year ago
COURT DOC: Federal Authorities Seize Internet Domain Selling Malware Used to Illegally Control and Steal Data from Victims’ Computers
CERT-EU
a year ago
Microsoft OneNote Announces Enhanced Security After Phishing Attacks