Netwire RAT rides on new malware dropper

News by Rene Millman

New malware dropper WiryJMPer uses novel obfuscation techniques to conceal Netwire RAT

Security researchers have discovered a new malware dropper that is infecting systems with the Netwire remote access trojan (RAT).

The Netwire payload hides between two benign binaries, Avast researchers Adolf Streda and Luigino Camastra wrote in a blog post. They first noticed the malware when they saw a simple binary file posing as an ABBC Coin wallet. 

"We found the file suspicious, as the file size was three-times as big as it should be," they wrote. Behavioural analysis revealed that the binary that was posing as an ABBC Coin wallet is a dropper. They called it WiryJMPer.

The first stage of the payload innocently appears as a regular WinBin2Iso binary with a suspiciously large .rsrc section. 

"The JMP instruction, which is normally part of a loop handling window messages, jumps into the .rsrc section where a roller-coaster of control flow begins," they wrote.

This causes an unresponsive WinBin2Iso window to appear briefly before being replaced by an ABBC Coin wallet window. "This window is always shown at startup and thus it is a good indicator of infection," wrote the researchers.

The combination of control flow obfuscation and low-level code abstraction made the analysis of the malware’s workflow "rather tedious" for them.

"Moreover, during the analysis, we found that the obfuscated loader also utilises a (possibly) custom stack-based virtual machine during the RC4 key schedule, which aroused our interest even more," they wrote.

The malware has the WinBin2Iso binary patched to unpack Netwire and another binary.

"For example, the decoy payload led to a different but legitimate installer of Bitcoin Core (version 0.18.0). Others led to the Yoroi wallet, Neon wallet, ZecWallet, DigiByte Core, OWallet, Verge core wallet and others. The common denominator seems to be cryptocurrency wallets," wrote the researchers.

While the malware’s functionality isn’t very innovative, it has managed to pass under the radar for some time, probably due to obfuscation and rather low prevalence, they noted. 

"The rather slow setup of the decoy showing multiple windows with unrelated titles may be suspicious enough for power-users. On the other hand, providing the "decoy" binary might be comforting enough for ordinary users," warned the researchers.

The rate of innovation cyber-criminals are operating at is making it impossible for detection tools alone to keep up with new techniques and malware strains that are constantly being produced, Bromium EMEA CTO Fraser Kyne told SC Media UK. 

"What’s more, even when detection tools catch-up to this, cybercriminals will look for new ways to bypass defences again. The only way to stop this vicious cycle is to stop relying on detection-alone to secure high value assets. Instead, organisations must deploy layered defences to protect the endpoint from threats that bypass the first line of defence," he said.

Employees  need to be made aware of the risks and consequences of downloading unauthorised applications from the internet onto corporate devices, said Clearswift CTO Guy Bunker.

"There should be policies in place on acceptable use of corporate devices and processes to deal with applications which the user would like to install but aren’t part of a standard build, and processes for dealing with issues including ransomware and other malware infections," he told SC Media UK.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews