International authorities bring NetWire’s malware infrastructure to a standstill

What just happened? The US Attorney’s Office, Central District of California, recently announced the seizure of the WorldWiredLabs web domain and supporting infrastructure. The operation, which was coordinated across several countries and law enforcement organizations, stopped the distribution of the NetWire remote access trojan (RAT). The malware was disguised and marketed as a legitimate administration tool that was used by malicious actors to gain unauthorized access to targeted systems.

The successful effort to corner the RAT follows several years of investigation, observation, and planning by law enforcement agencies around the world. Federal authorities in Los Angeles exercised a warrant to seize the worldwiredlabs.com web domain, which was used to sell and distribute the NetWire malware. In addition to the seizure, authorities arrested a Croation national who was identified as the site’s administrator. The now seized website indicates a coordinated effort between US, Croatian, Swiss, Australian, and other Europol-affiliated authorities.

Busted! A coordinated #lawenforcement action ð­ð·ð¨ð­ð¦ðºðºð¸ has taken down the #Netwire Remote Access Trojan infrastructure.

�” Main suspect arrested.#Netwire is a Licensed Commodity RAT offered in underground forums to non-technical users to carry out their own criminal activities.

— EC3 (@EC3Europol) March 10, 2023

The FBI’s initial investigation began in 2020 when investigators purchased a copy of the suspected malware and turned it over for further analysis. According to the warrant‘s summary of probable cause, FBI investigators were able to successfully access the site, pay for a subscription plan, and download the NetWire RAT package for use. Once acquired, an FBI computer scientist used NetWire’s builder tool to configure an instance to test the malware’s capabilities against a specified test machine. At no point did NetWire attempt to verify that those analyzing the software actually had access to the targeted machine.

Once configured, the FBI computer scientist confirmed that the software allowed NetWire users to access files, close applications, retrieve authentication information, track keystrokes, execute commands, and take screenshots, all without alerting the targeted user. These capabilities, behaviors, and lack of notification, which are all calling cards of a traditional RAT attack, are all designed to attract malicious actors with the intent to take advantage of other unsuspecting users.

There are a number of ways that organizations and users can help to prevent themselves from falling victim to RATs and other social engineering-driven attacks. An earlier article from INFOSEC outlines in detail how NetWire worked and provides tips for users and organizations to defend themselves against these types of attacks. These include:

• Training users to be aware of potential phishing schemas and how to handle them
• Becoming aware of emails from unfamiliar senders or sources and with suspicious attachments
• Verifying sources through alternative means before opening or downloading content
• Using anti-malware, antivirus, or other endpoint protection software
• Keeping all software and the operating system files updated

Donald Alway, Assistant Director in charge of the FBI’s L.A. Field Office, highlighted the importance of the NetWire malware’s takedown. “By removing the NetWire RAT, the FBI has impacted the criminal cyber ecosystem.” Alway’s statements also highlighted the fact that “…the global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals.”