Netwire RAT Behind Recent Targeted Attacks

Netwire is a multiplatform remote administration tool (RAT) widely used by cybercriminals since 2012. Netwire provides attackers with various functions to remotely control infected machines.

Lately, McAfee Labs has seen a spike in the number of attacks employing Netwire. In a recent case, Netwire was used in a targeted attack involving banking and healthcare sectors.

 

The Attack
This recent attack used a specially crafted Word document with an embedded malicious macro. An attacker might also use social-engineering tricks to lure victims into opening the malicious document.

Once the document is opened, the exploit downloads Netwire from Dropbox:

hxxp://www.dropbox.com/s/q*********/tcpview.exe?dl=1

Once executed, the malware tcpview.exe copies itself to the AppData folder. By using trusted storage sites such as Dropbox the malware can sometimes avoid firewall and heuristic detection.

Netwire

Netwire is a sophisticated RAT with various remote-control functions, including:

  • Collecting system information
  • File manager
  • System manager
  • Keylogging and screen capture

The following screen capture shows Netwire’s host-monitoring tool:

 

The file tcpview.exe is obfuscated with a custom cryptor. The malware also creates a start-up entry in the registry for persistence.

The Netwire client tcpview.exe is signed by fake and invalid digital certificates.

 

The second stage of the attack involves a Netwire backdoor connecting to the following control servers:

  • davidluciano.mooo.com
  • jydonky.mooo.com
  • papybrown.mooo.com

Mooo.com is a dynamic DNS domain provider often favored by Netwire attackers. Currently all these domains point to the following IP addresses in the United States:

  • 216.38.7.229
  • 23.105.131.179
  • 23.105.131.236

The malicious Word document is detected by McAfee Advanced Threat Defense with high severity.

 

Advanced Threat Defense also classifies the downloaded file as malicious.

The post Netwire RAT Behind Recent Targeted Attacks appeared first on McAfee.

Now you can easily send (free!) encrypted messages between Android, iOS

On Monday, Open Whisper Systems announced the release of Signal 2.0, the second version of its app for iOS. What makes this latest release special is that it allows users to send end-to-end encrypted messages, for free, to users of Redphone and TextSecure, Android apps supported by Open Whisper Systems that encrypt calling and text messages, respectively.

Previously, this kind of cross-platform secure messaging cost money in the form of a monthly subscription fee that both the sender and the receiver of the message had to pay. (Or, encrypting messages cost considerable time and effort to implement without a dedicated app.) Signal and its Android counterpart TextSecure are unique in that they use forward encryption, which generates temporary keys for each message, but still allow asynchronous messaging through the use of push notifications and "prekeys." Ars reported on the implementation details in 2013.

Open Whisper Systems has pulled ahead of other privacy apps by making its interface easy for a person who doesn't know too much about encryption to use. It's also open source, so it can be vetted by experts, and its open encryption protocol can be adopted by other messaging apps. In fact, last November, messaging platform Whatsapp deployed Open Whisper Systems' protocol for its 500 million Android users. Still, until now communicating with iOS users from an Android phone has been much more challenging.

Read 4 remaining paragraphs | Comments

FTC Details the Top 10 Imposter Scams of 2014

Original release date: March 02, 2015

The Federal Trade Commission (FTC) has released an advisory describing the top 10 reported imposter scams for 2014. Scam operators often impersonate individuals, companies, and organizations to entice targets to participate in fraudulent financial transactions.

Users are encouraged to review the FTC advisory for details and refer to the US-CERT Tip ST04-014 for information on social engineering and phishing attacks.


This product is provided subject to this Notification and this Privacy & Use policy.