Threat Research

NetWire RAT: The Stealthy Invasion via Frenchy Shellcode

Securonix

eSentire’s TRU team details a stealthy NetWire RAT deployment chain starting with a drive-by download and culminating in process hollowing via Frenchy Shellcode, aided by AntiVM checks, UAC bypass, and persistence. The write-up covers the delivery chain, core payloads, defensive lessons, and indicators of compromise.

Keypoints

  • NetWire RAT infection vector identified as a drive-by download from a site offering an Office installer.
  • An obfuscated AutoIt dropper deploys OInstall.exe and install.exe, forming the core payload chain.
  • The dropper’s strings are deobfuscated via XOR; the deobfuscated data leads to further payloads.
  • Resource data is decompressed with DeflateStream and decrypted with AES to reveal additional executables.
  • Anti-VM checks are implemented to terminate if virtualization artifacts are detected.
  • Persistence is achieved by creating an apppatch folder under %APPDATA%, copying to mtstocom.exe, and registering a Run key.
  • UAC bypass (Eventvwr.exe on Windows 7 or Fodhelper.exe on Windows 10) enables privileges, followed by process hollowing into RegAsm.exe using Frenchy Shellcode, delivering NetWire RAT.

MITRE Techniques

  • [T1189] Drive-by Compromise – The primary source of infection was a drive-by download. “The primary source of infection was a drive-by download.”
  • [T1059] Command and Scripting Interpreter – The initial malicious file contained an AutoIT script that, upon execution and decryption, drops the OInstall.exe (Office 2013-2019 C2R Install). “The initial malicious file contained an AutoIT script that, upon execution and decryption, drops the OInstall.exe (Office 2013-2019 C2R Install) (MD5: 38be94769e4f59d9a90e551e505c2e07).”
  • [T1140] Deobfuscate/Decode Files or Information – Detokenized AutoIt script is decrypted using XOR operations. “detokenized AutoIt script is decrypted using XOR operations.”
  • [T1027] Obfuscated/Compressed Files and Information – The resource file is decompressed with DeflateStream and decrypted with AES. “The resource file is then decompressed with DeflateStream… decrypted the file AES.”
  • [T1055.012] Process Injection – Frenchy Shellcode performs process hollowing into RegAsm.exe. “process hollowing into RegAsm.exe process.”
  • [T1548.002] Bypass User Account Control – UAC bypass using Eventvwr.exe (Win7) or Fodhelper.exe (Win10). “UAC bypass using Eventvwr.exe; if it’s 10, it uses Fodhelper.exe.”
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence via %APPDATA%/Load registry. “creates a folder named ‘apppatch’ under %APPDATA%, copies itself into the folder, and adds itself to the ‘Load’ registry value.”
  • [T1497] Virtualization/Sandbox Evasion – AntiVM checks via registry BIOS/model checks. “The ‘antivm’ method checks the system’s registry… contains ‘VM’, ‘VMware’, or ‘VBOX’.”
  • [T1027] Obfuscated/Decoded Files and Information – RC4 encryption of configuration and embedded data. “NetWire encrypts its configuration with RC4.”
  • [T1071.001] Web Protocols – C2 is hosted at a domain with a port. “C2 list: “qayshaija.ddns[.]net:1515””

Indicators of Compromise

  • [File hash] 38be94769e4f59d9a90e551e505c2e07 – OInstall.exe (initial dropper)
  • [File hash] 6037361243f8c390326debbea5b85ac2 – install.exe (core payload)
  • [File hash] 797b3318a7323b73df2bdc910f6ce92f – DLL binary (second payload)
  • [File hash] a60238d3d7d3d6d90bae440cc4ff25ea – Executable binary (third payload)
  • [File hash] 2da7b1cf405f791165e42ce5a3efad97 – NetWire RAT
  • [File hash] abdb5f121849f3f3718768d37abe0173 – Frenchy Shellcode
  • [Domain] qayshaija.ddns[.]net:1515 – NetWire C2 host

Read more: https://www.esentire.com/blog/netwire-rat-the-stealthy-invasion-via-frenchy-shellcode

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint