Seth GoodwinSalim Bitam

NETWIRE Dynamic Configuration Extraction

A tool for the dynamic extraction of NETWIRE configurations based on emulation.

17 min de leituraPesquisa sobre segurança
Extração de configuração dinâmica NETWIRE

Principais conclusões

  • NETWIRE has shown an increase in prevalence over the last year
  • Elastic Security Labs created an extractor to pull out configuration data from NETWIRE files and memory dumps targeting the functions the malware uses to extract its encrypted data
  • The NETWIRE extractor is freely available for download

To download the NETWIRE configuration extractor, check out our post on the tool:

Preâmbulo

NETWIRE is a Remote Access Tool (RAT) that has been used since at least 2014. It is a publicly available commodity malware and has been observed being used by financially motivated and nation-state actors.

In the second half of 2022, we noticed an uptick in the prevalence of NETWIRE usage in our telemetry data. This prompted the Elastic Security Labs team to develop a configuration extractor to assist the security community in collecting atomic indicators within the configurations. Using this extractor will support threat tracking and improve detection, prevention, and response times.

Extractor

The NETWIRE RAT uses the RC4 symmetric encryption algorithm to protect its configuration which is encrypted in the .data section along with the 16 bytes long RC4 decryption key.

While reversing our samples the analysts noticed that for both the crypto::rc4_init_sbox and crypto::rc4_decrypt functions the second argument (#2 in the image below) is always a memory address for the desired encrypted configuration value, and the third argument (#3) is an immediate value written to the memory stack before the call which represents the size of the encrypted string.

It was also noted that the function calls are one after the other. This is important to allow us to structure the extractor to look for these functions sequentially.

With $key (from the above image) in mind, we created YARA rules to identify the location of the key and encrypted configuration values.

![YARA rule section that identifies the key and encrypted configuration](/assets/images/netwire-dynamic-configuration-extraction/image5.jpg

With this information we can then use Capstone to:

  1. Locate the function responsible for decrypting the configuration using YARA.

  2. Disassemble the function using Capstone.

  3. Extract the RC4 key address and the encrypted configuration field addresses.

  4. Extract the size of the configuration field.

  5. RC4 decrypt the encrypted fields and rebuild the configuration.

![RC4 decrypting the configuration](/assets/images/netwire-dynamic-configuration-extraction/image5.jpg

Once we have recreated the configuration, we can use the extractor to pull out several parameters used by NETWIRE, as well as a few basic file characteristics:

  • Active Setup Key : Active Setup registry key to achieve persistence.
  • C2 IP list : List of command and control (C2) server domains or IP addresses.
  • Host ID : A unique identifier that is assigned to the infected machine.
  • Installation path : The location where the malware will be installed.
  • Keylogger logs directory : The location where the keylogging log file will be stored.
  • Mutex : Mutex name, to create a synchronization object to ensure only one instance of the sample is running on the machine.
  • Password : Static password to generate AES key used for encrypting the communication between the malware and the C2 server.
  • Run registry key entry : Name of the entry in the run registry, used for persistence.
  • Sleep in seconds : The amount of time the malware sleeps.

The configuration extractor accepts four parameters:

  • -f : to specify a single NETWIRE sample
  • -d : To specify a directory of NETWIRE samples
  • -o : To write the configuration in JSON format to the specified file
  • --all-config : To print the unparsed raw decrypted configuration

Análise

We’ve used this extractor to examine a set of samples from the previous 180 days to extract indicators for further enrichment and analysis.

Our initially collected batch of samples came as a mixture of executable files and memory dumps. The extractor will only work on unmapped files, so the dumps which were already mapped were run through pe_unmapper.

When extracting a payload from memory, we are obtaining a memory-mapped version of it. This means that the "Raw Address" and "Raw Size" may not be correctly aligned with the correct section’s data. To correctly align the PE file, it is necessary to adjust the pointer to the raw address so that it matches the virtual address for every section.

Now we can run the configuration extractor with Poetry against our directory of unmapped binaries:

**poetry lock**
**poetry install**
**poetry shell**
**netwire-config-extractor -d sample-dir/ -o output.ndjson**

This file, output.ndjson , can then be uploaded to Kibana for further analysis.

Check out the Elastic Container project to quick spin up an Elastic Stack and start analyzing structured security-relevant data.

Next time you run into a NETWIRE sample, run it through our configuration extractor to pull out other indicators to help you on your analytic journey or begin remediating quicker.

Detecção

YARA

These YARA rules can used to detect and identify NETWIRE RAT.

rule Windows_Trojan_Netwire_1 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a = { 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C }
   condition:
       all of them
}
rule Windows_Trojan_Netwire_2 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a1 = "[%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword
       $a2 = "\\Login Data"
       $a3 = "SOFTWARE\\NetWire" fullword
   condition:
       2 of them
}
rule Windows_Trojan_Netwire_3 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a = { C9 0F 44 C8 D0 EB 8A 44 24 12 0F B7 C9 75 D1 32 C0 B3 01 8B CE 88 44 }
   condition:
       all of them
}
rule Windows_Trojan_Netwire_4 {
   meta:
       author = "Elastic Security"
       os = "Windows"
       arch = "x86"
       category_type = "Trojan"
       family = "Netwire"
       threat_name = "Windows.Trojan.Netwire"
   strings:
       $a1 = "http://%s%ComSpec" ascii fullword
       $a2 = "%c%.8x%s" ascii fullword
       $a3 = "%6\\6Z65dlNh\\YlS.dfd" ascii fullword
       $a4 = "GET %s HTTP/1.1" ascii fullword
       $a5 = "R-W65: %6:%S" ascii fullword
       $a6 = "PTLLjPq %6:%S -qq9/G.y" ascii fullword
   condition:
       4 of them
}

Indicadores

All indicators are also available for download in both ECS and STIX format in a combined zip bundle.

The following indicators were discussed in this research.

IndicadorTipoNote
139.28.38[.]235endereço-ipv4NETWIRE RAT C2
149.102.132[.]253endereço-ipv4NETWIRE RAT C2
184.75.221[.]115endereço-ipv4NETWIRE RAT C2
185.136.165[.]182endereço-ipv4NETWIRE RAT C2
185.140.53[.]139endereço-ipv4NETWIRE RAT C2
185.140.53[.]144endereço-ipv4NETWIRE RAT C2
185.140.53[.]154endereço-ipv4NETWIRE RAT C2
185.140.53[.]61endereço-ipv4NETWIRE RAT C2
185.216.71[.]251endereço-ipv4NETWIRE RAT C2
194.36.111[.]59endereço-ipv4NETWIRE RAT C2
194.5.98[.]126endereço-ipv4NETWIRE RAT C2
194.5.98[.]178endereço-ipv4NETWIRE RAT C2
194.5.98[.]188endereço-ipv4NETWIRE RAT C2
194.5.98[.]65endereço-ipv4NETWIRE RAT C2
212.193.29[.]37endereço-ipv4NETWIRE RAT C2
212.193.30[.]230endereço-ipv4NETWIRE RAT C2
213.152.161[.]249endereço-ipv4NETWIRE RAT C2
217.151.98[.]163endereço-ipv4NETWIRE RAT C2
23.105.131[.]166endereço-ipv4NETWIRE RAT C2
37.0.14[.]199endereço-ipv4NETWIRE RAT C2
37.0.14[.]203endereço-ipv4NETWIRE RAT C2
37.0.14[.]206endereço-ipv4NETWIRE RAT C2
37.0.14[.]208endereço-ipv4NETWIRE RAT C2
37.0.14[.]214endereço-ipv4NETWIRE RAT C2
37.120.217[.]243endereço-ipv4NETWIRE RAT C2
51.161.104[.]138endereço-ipv4NETWIRE RAT C2
54.145.6[.]146endereço-ipv4NETWIRE RAT C2
80.66.64[.]136endereço-ipv4NETWIRE RAT C2
85.209.134[.]105endereço-ipv4NETWIRE RAT C2
85.31.46[.]78endereço-ipv4NETWIRE RAT C2
94.156.35[.]40endereço-ipv4NETWIRE RAT C2
20220627.duckdns[.]orgnome de domínioNETWIRE RAT C2
admin96.hopto[.]orgnome de domínioNETWIRE RAT C2
alice2019.myftp[.]biznome de domínioNETWIRE RAT C2
asorock1111.ddns[.]netnome de domínioNETWIRE RAT C2
banqueislamik.ddrive[.]onlinenome de domínioNETWIRE RAT C2
betterday.duckdns[.]orgnome de domínioNETWIRE RAT C2
bigman2021.duckdns[.]orgnome de domínioNETWIRE RAT C2
blazeblaze.ddns[.]netnome de domínioNETWIRE RAT C2
chongmei33.myddns[.]rocksnome de domínioNETWIRE RAT C2
clients.enigmasolutions[.]xyznome de domínioNETWIRE RAT C2
gracedynu.gleeze[.]comnome de domínioNETWIRE RAT C2
ingobea.hopto[.]orgnome de domínioNETWIRE RAT C2
iphanyi.edns[.]biznome de domínioNETWIRE RAT C2
iphy.strangled[.]netnome de domínioNETWIRE RAT C2
kimlee11.duckdns[.]orgnome de domínioNETWIRE RAT C2
loffgghh.duckdns[.]orgnome de domínioNETWIRE RAT C2
megaton.gleeze[.]comnome de domínioNETWIRE RAT C2
moran101.duckdns[.]orgnome de domínioNETWIRE RAT C2
netuwaya.servecounterstrike[.]comnome de domínioNETWIRE RAT C2
nowancenorly.ddns[.]netnome de domínioNETWIRE RAT C2
podzeye.duckdns[.]orgnome de domínioNETWIRE RAT C2
podzeye2.duckdns[.]orgnome de domínioNETWIRE RAT C2
recoveryonpoint.duckdns[.]orgnome de domínioNETWIRE RAT C2
redlinea[.]topnome de domínioNETWIRE RAT C2
roller.duckdns[.]orgnome de domínioNETWIRE RAT C2
rozayleekimishere.duckdns[.]orgnome de domínioNETWIRE RAT C2
sani990.duckdns[.]orgnome de domínioNETWIRE RAT C2
saturdaylivecheckthisout.duckdns[.]orgnome de domínioNETWIRE RAT C2
uhie.hopto[.]orgnome de domínioNETWIRE RAT C2
uhie2020.duckdns[.]orgnome de domínioNETWIRE RAT C2
wcbradley.duckdns[.]orgnome de domínioNETWIRE RAT C2
xman2.duckdns[.]orgnome de domínioNETWIRE RAT C2
zonedx.ddns[.]netnome de domínioNETWIRE RAT C2

Compartilhe este artigo