Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

NETWIRE

NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)
ID: S0198
Type: MALWARE
Platforms: Windows
Version: 1.6
Created: 18 Apr 2018
Last Modified: 20 Sep 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

NETWIRE has the ability to communicate over HTTP.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

NETWIRE has used a custom encryption algorithm to encrypt collected data.(Citation: FireEye NETWIRE March 2019)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

NETWIRE creates a Registry start-up entry to establish persistence.(Citation: McAfee Netwire Mar 2015)(Citation: Red Canary NETWIRE January 2020)(Citation: Unit 42 NETWIRE April 2020)(Citation: Proofpoint NETWIRE December 2020)

.011 Boot or Logon Autostart Execution: Plist Modification

NETWIRE can persist via startup options for Login items.(Citation: Red Canary NETWIRE January 2020)

.013 Boot or Logon Autostart Execution: XDG Autostart Entries

NETWIRE can use XDG Autostart Entries to establish persistence on Linux systems.(Citation: Red Canary NETWIRE January 2020)

.015 Boot or Logon Autostart Execution: Login Items

NETWIRE can persist via startup options for Login items.(Citation: Red Canary NETWIRE January 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

The NETWIRE binary has been executed via PowerShell script.(Citation: FireEye NETWIRE March 2019)

.003 Command and Scripting Interpreter: Windows Command Shell

NETWIRE can issue commands using cmd.exe.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)

.004 Command and Scripting Interpreter: Unix Shell

NETWIRE has the ability to use /bin/bash and /bin/sh to execute commands.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)

.005 Command and Scripting Interpreter: Visual Basic

NETWIRE has been executed through use of VBScripts.(Citation: FireEye NETWIRE March 2019)(Citation: Proofpoint NETWIRE December 2020)

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

NETWIRE can use launch agents for persistence.(Citation: Red Canary NETWIRE January 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)

Enterprise T1074 .001 Data Staged: Local Data Staging

NETWIRE has the ability to write collected data to a file created in the ./LOGS directory.(Citation: FireEye NETWIRE March 2019)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

NETWIRE can use AES encryption for C2 data transferred.(Citation: Red Canary NETWIRE January 2020)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

NETWIRE can copy itself to and launch itself from hidden folders.(Citation: Red Canary NETWIRE January 2020)

Enterprise T1056 .001 Input Capture: Keylogging

NETWIRE can perform keylogging.(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)

Enterprise T1036 .001 Masquerading: Invalid Code Signature

The NETWIRE client has been signed by fake and invalid digital certificates.(Citation: McAfee Netwire Mar 2015)

.005 Masquerading: Match Legitimate Name or Location

NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.(Citation: Red Canary NETWIRE January 2020)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

NETWIRE has used .NET packer tools to evade detection.(Citation: Red Canary NETWIRE January 2020)

.011 Obfuscated Files or Information: Fileless Storage

NETWIRE can store its configuration information in the Registry under `HKCU:\Software\Netwire`.(Citation: Red Canary NETWIRE January 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

NETWIRE has been spread via e-mail campaigns utilizing malicious attachments.(Citation: Unit 42 NETWIRE April 2020)(Citation: Proofpoint NETWIRE December 2020)

.002 Phishing: Spearphishing Link

NETWIRE has been spread via e-mail campaigns utilizing malicious links.(Citation: Unit 42 NETWIRE April 2020)

Enterprise T1055 .012 Process Injection: Process Hollowing

The NETWIRE payload has been injected into benign Microsoft executables via process hollowing.(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)

Enterprise T1053 .003 Scheduled Task/Job: Cron

NETWIRE can use crontabs to establish persistence.(Citation: Red Canary NETWIRE January 2020)

.005 Scheduled Task/Job: Scheduled Task

NETWIRE can create a scheduled task to establish persistence.(Citation: FireEye NETWIRE March 2019)

Enterprise T1204 .001 User Execution: Malicious Link

NETWIRE has been executed through convincing victims into clicking malicious links.(Citation: FireEye NETWIRE March 2019)(Citation: Unit 42 NETWIRE April 2020)

.002 User Execution: Malicious File

NETWIRE has been executed through luring victims into opening malicious documents.(Citation: FireEye NETWIRE March 2019)(Citation: Unit 42 NETWIRE April 2020)(Citation: Proofpoint NETWIRE December 2020)

Groups That Use This Software

ID Name References
G0089 The White Company

(Citation: Cylance Shaheen Nov 2018)

G0064 APT33

(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)

G0083 SilverTerrier

(Citation: Unit42 SilverTerrier 2018)

G1018 TA2541

(Citation: Proofpoint TA2541 February 2022) (Citation: FireEye NETWIRE March 2019)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.