IBM X-force researchers have found out a brand new way to campaigning that targets the organizations with fake business emails that get sent to the Netwire remote access Trojan wares and its different variants. The RAT is hidden inside an IMG file, which is a file extension that is used by the disk imaging software. Many attachments can be automatically barred by the email privacy control panels, the cyber criminals along with the spammers often choose the type of file extensions that can be extensively used in malspam messages, and rearrange the kinds of files that they hide as malware. X-Force’s discussion shows that emails that have been sent by the Netwire RAT in this spamming campaign are being delivered from a small number of unique senders intentionally and fraudulently located in Germany.
The Netwire RAT is a malicious technique that was introduced in the wild in 2012. This multiplatform malware has classic solutions for the cybercrime since it has undergone the different upgrade circles and was determined in various kinds of attacks that range from cybercrime by Nigerian scammers to advanced persistent threat (APT) attacks. The Netwire RAT is an industrial offer that can be easily bought on Darknet markets, which implies that it can be utilized by just about any threat actor or the cyber criminals residing in the darkest alleys of the internet.
This isn’t the first time Netwire is being sent in fake business interactions. In a recent threat campaign launched in September 2019, its operators sent booby-trapped fraudulent PDF files to potent victims showing that it was a commercial chance that they took. The actual file was an executable that installed the Netwire RAT as soon as the file downloaded or clicked upon.
Image Source: techseen.com
The role of Netwire can be inclusive and it can be used by any group with a little attribution which is rather futile. Taking a look at the some of the unencrypted strings that can be found in our precious memory we have identified a series of written codes in foreign languages which apparently looks like one of the Indonesian scripts. These terms may be of great campaigning efforts which are fuelled financially and these are most probably to be carried forward by the local criminals and goons who are looking for the chances to rob bulged bank account owners in various ways. Although we have not seen the whole post-infection flow, it may be followed up by a 419-type scam, or it can also involve the social engineering or phishing pages to tempt the victim to enter their pages and mobile apps of banking credentials and allow the cyber attackers to own their accounts.
Recent campaigns in the wild show that the Netwire RAT is not the only malware that delivers via disk imaging file extensions. This was somewhat of a trend in late 2019, likely because the same spamming tools and techniques were dispersing the RATs for different threat actors and their purposes.
Image Source: www.infoworld.com
Often it could be seen, as security personnel, we get to hear about the larger and more impactful security and information breaches, ransomware attacks, and impactful campaigns, which are often carried out by the tech savvy cybercriminals. But while most of these financially motivated cybercrime gangs are the work of larger, organized crime groups, smaller fractions and portions are still very much in operations, and they too target businesses to compromise bank accounts and steal money by using financially available malware year-round.
Signs of compromise (IoCs) and other information or data on how to shield the networks from the Netwire RAT can be found on IBM X-Force Exchange. Exactly after this initial implementation, the malware set up a resistance via a timed job, a common technique for too many malware developers. Scheduled tasks allow the malware to keep up with the checking of that its active or revamp itself in a recurring fashion.
Source: Security Intelligence
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.