A new malware dropper was observed while infecting computers with a Netwire malicious payload hidden between two benign binaries and using obfuscation to fly under the radar of most anti-malware solutions. NetWire (also known as Recam or NetWiredRC) is a remote access trojan (RAT) widely used since 2012 with remote control capabilities and a focus on keylogging and password-stealing that enables attackers to gain unauthorized access and remotely control their victims’ computers, among a host of other things.

“WiryJMPer is a seemingly ordinary dropper with unusual obfuscation. It uses two benign binaries with superfluous jumps and dead branches sandwiched between the binaries to hide its virtual machine, protecting its Netwire payload,” found Avast researchers Adolf Středa and Luigino Camastra. Its JMP instruction, normally meant to handle window messages, jumps into the .rsrc section, which results in an unresponsive WinBin2Iso window to appear briefly before the ABBC Coin wallet window takes over. Because the window is always shown at startup, it is a clear sign of infection.

The combination of control flow obfuscation and low-level code abstraction made the analysis of the malware’s workflow “rather tedious” for them.

“Moreover, during the analysis, we found that the obfuscated loader also utilizes a (possibly) custom stack-based virtual machine during the RC4 key schedule, which aroused our interest even more,” they wrote.

The loader handles the rest of the infection process: it loads ntdll.dll into the memory, decrypts auxiliary data such as LNK filename or RC4 decryption password, and then decrypts the Netwire malware and the “decoy” binary (ABBC Coin wallet).

The Netwire malware is loaded into memory and the decoy saved onto the disk. The loader also attempts to achieve persistence by copying the original binary to %APPDATA%\abbcdriver.exe and creating an LNK file leading to it in the startup folder.

For more Cyber Security Information contact us at help@theweborion.com