NETWIRE
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
NETWIRE has the ability to communicate over HTTP.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020) |
Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
NETWIRE has used a custom encryption algorithm to encrypt collected data.(Citation: FireEye NETWIRE March 2019) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
NETWIRE creates a Registry start-up entry to establish persistence.(Citation: McAfee Netwire Mar 2015)(Citation: Red Canary NETWIRE January 2020)(Citation: Unit 42 NETWIRE April 2020)(Citation: Proofpoint NETWIRE December 2020) |
.011 | Boot or Logon Autostart Execution: Plist Modification |
NETWIRE can persist via startup options for Login items.(Citation: Red Canary NETWIRE January 2020) |
||
.013 | Boot or Logon Autostart Execution: XDG Autostart Entries |
NETWIRE can use XDG Autostart Entries to establish persistence on Linux systems.(Citation: Red Canary NETWIRE January 2020) |
||
.015 | Boot or Logon Autostart Execution: Login Items |
NETWIRE can persist via startup options for Login items.(Citation: Red Canary NETWIRE January 2020) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
The NETWIRE binary has been executed via PowerShell script.(Citation: FireEye NETWIRE March 2019) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
NETWIRE can issue commands using cmd.exe.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020) |
||
.004 | Command and Scripting Interpreter: Unix Shell |
NETWIRE has the ability to use |
||
.005 | Command and Scripting Interpreter: Visual Basic |
NETWIRE has been executed through use of VBScripts.(Citation: FireEye NETWIRE March 2019)(Citation: Proofpoint NETWIRE December 2020) |
||
Enterprise | T1543 | .001 | Create or Modify System Process: Launch Agent |
NETWIRE can use launch agents for persistence.(Citation: Red Canary NETWIRE January 2020) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
NETWIRE has the ability to write collected data to a file created in the |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
NETWIRE can use AES encryption for C2 data transferred.(Citation: Red Canary NETWIRE January 2020) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
NETWIRE can copy itself to and launch itself from hidden folders.(Citation: Red Canary NETWIRE January 2020) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
NETWIRE can perform keylogging.(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020) |
Enterprise | T1036 | .001 | Masquerading: Invalid Code Signature |
The NETWIRE client has been signed by fake and invalid digital certificates.(Citation: McAfee Netwire Mar 2015) |
.005 | Masquerading: Match Legitimate Name or Location |
NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.(Citation: Red Canary NETWIRE January 2020) |
||
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
NETWIRE has used .NET packer tools to evade detection.(Citation: Red Canary NETWIRE January 2020) |
.011 | Obfuscated Files or Information: Fileless Storage |
NETWIRE can store its configuration information in the Registry under `HKCU:\Software\Netwire`.(Citation: Red Canary NETWIRE January 2020) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
NETWIRE has been spread via e-mail campaigns utilizing malicious attachments.(Citation: Unit 42 NETWIRE April 2020)(Citation: Proofpoint NETWIRE December 2020) |
.002 | Phishing: Spearphishing Link |
NETWIRE has been spread via e-mail campaigns utilizing malicious links.(Citation: Unit 42 NETWIRE April 2020) |
||
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
The NETWIRE payload has been injected into benign Microsoft executables via process hollowing.(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020) |
Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
NETWIRE can use crontabs to establish persistence.(Citation: Red Canary NETWIRE January 2020) |
.005 | Scheduled Task/Job: Scheduled Task |
NETWIRE can create a scheduled task to establish persistence.(Citation: FireEye NETWIRE March 2019) |
||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
NETWIRE has been executed through convincing victims into clicking malicious links.(Citation: FireEye NETWIRE March 2019)(Citation: Unit 42 NETWIRE April 2020) |
.002 | User Execution: Malicious File |
NETWIRE has been executed through luring victims into opening malicious documents.(Citation: FireEye NETWIRE March 2019)(Citation: Unit 42 NETWIRE April 2020)(Citation: Proofpoint NETWIRE December 2020) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0089 | The White Company |
(Citation: Cylance Shaheen Nov 2018) |
G0064 | APT33 |
(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) |
G0083 | SilverTerrier |
(Citation: Unit42 SilverTerrier 2018) |
G1018 | TA2541 |
(Citation: Proofpoint TA2541 February 2022) (Citation: FireEye NETWIRE March 2019) |
References
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
- McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
- Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
- Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
- Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
- Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
- Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.