Detection Content: Hunting for Netwire RAT

NetWire is a publicly-available Remote Access Trojan that is a part of the NetWiredRC malware family used by cybercriminals since 2012. Its primary functionality is focused on credentials stealing and keylogging, but it also has remote control capabilities. Adversaries often distribute NetWire through malspam and phishing emails. 

In a recent campaign, cybercriminals targeted users in Germany and disguised phishing emails as German courier, parcel, and express mail service DHL. The attackers used MS Excel documents as a malicious attachment. It activates a PowerShell command to download two files from Pastebin and perform character replacements on them to decode the DLL file, download obfuscated NetWire RAT, and then use decoded DLL to inject trojan into the legitimate process. 

New threat hunting rule by Osman Demir uncovers PowerShell command to download malicious files and process injection into a legitimate Windows file.

Netwire RAT via paste.ee and MS Excelhttps://tdm.socprime.com/tdm/info/999rWf0zExpC/YyFoJ3IBjwDfaYjKeoqF/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Windows Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Command and Control

Techniques: Remote Access Tools (T1219)

You can also check the community rule Netwire RAT detection via WScript: https://tdm.socprime.com/tdm/info/uI7Og7wR6TUZ/SDkzRW4BLQqskxffI-01/