A new business email campaign attacks enterprise users aiming to deliver NetWire remote-access Trojan through an IMG file.
NetWire RAT used by hackers since 2012, and it is mostly distributed through phishing emails with malicious attachments.
The malware undergoes various upgrades and it was used by Nigerian scammers to advanced persistent threat (APT) groups.
It was also sold in dark web markets which let any threat actor purchase it and use launching attacks.
NetWire RAT Campaign
IBM X-Force researchers observed a business email campaign that delivers NetWire RAT variants.
The Email contains IMG files as an attachment. In total 15 such malicious emails found carrying the same attachment were observed coming from two unique senders
The IMG file created by disc imaging applications, they are used in the enterprise for project, reports and other documents distribution.
With the samples analyzed by IBM X-Force, the email includes an IMG file named “Sales_Quotation_SQUO00001760.img”, within the IMG file the malware is archived.
Once the IMG file is opened the NetWire RAT will get executed and it will establish persistence by creating a scheduled task that lets malware relaunch itself.
Also, it creates additional registry keys to store the data from the command-and-control (C&C) and to operate on the infected device, for communications it uses TCP port 3012.
“We identified a series of strings written in a foreign language, which appears to be Indonesian and they relate to the login prompt, payment options, donations.”
Following are the malware strings from recent NetWire RAT campaign
Researchers believe that “campaign is financially motivated and most likely being carried out by local fraudsters looking to rob account owners in various ways.”
This is not the first time IMG file format was used by attackers, previously Raccoon Stealer Malware Delivered by IMG File Attacks Financial Organization to Steal Sensitive Data.