NetWire RAT Back, Stealing Payment Card Data

Researchers say they spotted the remote access Trojan NetWire stealing payment card data from one organization.

The remote access Trojan NetWire is back and this time making the rounds pilfering payment card data. The move is a shift for attackers behind notorious NetWire, that was once thought to be the first multi-platform RAT.

Over the last couple of years payment card breaches have been mostly synonymous with point of sale (POS) malware that scrapes memory from credit and debit cards swiped through the infected system. A new variant of NetWire RAT scrapes card data and also boasts an integrated keylogger that can sniff data from devices like USB card readers, according to researchers at SecureWorks, who detailed on Monday the latest version of the RAT they came across back in September.

The RAT relies on victims opening an attachment in a phishing email; once opened the malware is downloaded and the infection can linger for months or years until it’s discovered, according to SecureWorks researchers.

Researchers claim they spotted the RAT collecting data during an incident response engagement, but that this particular variant wasn’t specially trained to target POS systems.

This iteration was a .NET-compiled binary named “TeamViewer 10,” that once executed, unloads an .EXE file and gets to work maintaining persistence. Researchers claim the file creates a Windows shortcut in the Startup menu, something that ensures the RAT launches every time the victim logs into the system. Researchers note the file has nothing to do with TeamViewer; it was likely just the name the malware’s author gave it to trick victims into thinking the file was the actual remote support software.

In addition to copying itself to the startup menu, NetWire also injects code in notepad.exe to evade detection. Ironically, the technique did more harm than good and got the malware noticed, as it’s odd for notepad to have an active network connection.

It wasn’t until researchers devised a decoder to decode the keylogger’s output files that they determined it was actually stealing sensitive information. They found track one and track two card data, plain text credentials and data that helps the attacker know where the data was entered.

“The files also display the window title of the opened application, which reveals which application and website the sensitive information was entered,” SecureWorks’ research describes.

Researchers with the firm didn’t disclose which company’s system it discovered the RAT on, only that it was an organization that processes numerous credit cards on a daily basis.

The NetWire RAT is by no means new – it’s been around in one iteration or another since 2012.

Attackers used NetWire last year in a rash of attacks against banks and healthcare companies. Victims of that variant would have had to have opened a malicious Word document, rigged with macros, to download the RAT from Dropbox in order to get infected.

In 2014 researchers with Palo Alto Networks discovered that a group of Nigerian scammers – operating under the guise of Silver Spaniel – were using Netwire to remotely control infected systems. Researchers with FireEye observed a separate spam campaign that same year peddling RATs like Netwire and DarkComet, along with Trojans such as Zeus and Handsnake.

Retail chains are likely wary to hear of this week’s Netwire news.

The holiday season is perpetually marred by credit card fraud. Three years ago the now infamous Target hack affected customers who shopped at U.S. Target stores during this pivotal span of time, between November 27 and December 15. The same malware that hit Target’s point of sale terminals, BlackPOS, was ultimately tied to the even bigger hack of Home Depot that following summer, although that connection was disputed by some experts.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.