NetWiredRC is a trojan used by APT33 group which allows remote unauthorized access and control of an affected computer. An attacker can perform more than 100 different actions on an infected computer using this remote access tool. This article includes analysis of entire command and control structure of the malware. In this specific version of malicious sample it implements more features compared to its identified predecessors.

The executable sample can be found at app.any.run.

Hash of the executable sample :

41b22d484200b434a02c3b3a18ecb9defbc4582d864491d204f02ad25a46340e

Process Graph:

Import table:

ADVAPI32.dll

AVICAP32.dll

AVIFIL32.dll

COMCTL32.dll

GDI32.dll

IMM32.dll

KERNEL32.dll

MSIMG32.dll

OLEAUT32.dll

POWRPROF.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

UxTheme.dll

WS2_32.dll

comdlg32.dll

ole32.dll

pdh.dll

Sections:

Indicators of Compromise (IOC):

Drops file in C:\User\admin\AppData\Local\Temp\sample.exe Creates persistence using HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Connects to a URL using unusual port suggesting a command and control server.

Deeper Analysis:

The malicious sample loads the dynamic link library and required API’s in traditional way using LoadLibraryExA, FindResource, and LoadResource as shown below

The sample checks the presence of debugger and throws an exception if found using the following code segment.

It retrieves the path designated for temporary files and drops payload file in temp directory and a batch file.

It then uses command line to execute “cmd.exe “%TEMP%\aMCqY4E8M8.bat”” and delete batch file as “cmd.exe /c del “%TEMP%\aMCqY4E8M8.bat””

It queries registry to identify Language configurations, settings, windows version, computer name, installed applications, compatibility.

The sample also creates registry to achieve start-up persistence which allows it to auto-execute during system start-up.

Command Structure Analysis

The sample uses following code segment to create Imagelist of screenshots taken on a regular time interval to create a bitmap. It captures screen and transmits it on real time to the connected command and control server.

It also has ability to query, create, update database tables and contains some potential query strings in the sample.

The sample uses switch statement to parse the command received from command and control server which has more than 100 cases.

The following table shows the some command ability associated with the malware. The attacker can run any of these commands on an infected machine using command and control server and the sample returns the results back to the command and control server.

Stay tuned for more analysis and other amazing stuff. If you love and support my work use the below link to buy me a coffee and help me with my research.

Buy me a coffee