How the FBI determined the remote management tool was malware

Image Credits: Samuel Korm/Bloomberg via Getty Images/Getty Images

On Thursday, the US government announced it had seized a website used to sell malware designed to spy on computers and mobile phones.

The malware is called NetWire, and has been for years Several Cyber ​​security CompaniesAnd at least A government agencyThey wrote a report detailing how hackers use malware. NetWire was also advertised on hacking forums, but the owners of the malware marketed it on their website and pretended it was a legitimate remote management tool.

“NetWire is specifically designed to help businesses complete the various tasks associated with maintaining their computing infrastructure. It’s a single ‘command center’ where you can keep a list of all your remote computers, monitor their status and inventory, and connect to any of them for maintenance purposes.” Archived version of the site.

in The press release Announcing the availability of the website hosted on worldwiredlabs.comThe U.S. Attorney’s Office in the Central District of California said in 2020 that the FBI will begin an on-site investigation, according to the feds.

A spokesperson for the US Attorney’s Office provided TechCrunch with a copy The order used to hold the websiteIt explains in detail how the FBI determined that NetWire was a remote access trojan — or RAT — malware and not a legitimate application for managing remote computers.

The warrant contains an affidavit written by an unnamed FBI task force officer who said an FBI investigative team member or agent bought a NetWire license, downloaded the malware and gave it to an FBI-LA computer scientist, who analyzed it in October. 5, 2020 and January 12, 2021.

Image Credits: NetWire

To test the malware’s capabilities, the computer scientist used NetWire’s Builder Tool on a test computer to build a “custom instance of the NetWire RAT” installed on a Windows virtual machine under the agent’s control. In this process, the Netwire website states, “The FBI never required the FBI to prove that it owned, operated, or had any property rights to the test victim’s machine it attacked during the test (if the attacks were legitimate or appropriate for an authorized purpose).”

In other words, based on this test, the FBI concluded that NetWire’s owners never dared to check whether their customers were using it for legitimate purposes on computers they owned or controlled.

Using a virtual machine created by an FBI computer scientist, he tried all sorts of network functions, including remotely accessing files, viewing and closing applications like Windows Notepad, hacking stored passwords, recording keystrokes, executing commands at the prompt or shell, and taking them. Screenshots.

“FBI-LA [computer scientist] With all the features tested above, he emphasized that the infected computer did not show any notification or warning that these actions were taking place. This is contrary to legal remote access tools, which require the user’s consent to perform a specific action on behalf of the user,” the task force officer wrote in an affidavit.

The official also cited an August 2021 complaint the FBI received from a US-based NetWire victim, but did not identify the victim or include many details of the case, other than saying the victim hired a third party and concluded that the cyber security firm had received a malicious email that installed NetWire on the victim’s company.

Ciaran McEvoy, a spokesman for the U.S. Attorney for the Central District of California, told TechCrunch that he is not aware of any other public documents in the case other than the order and the attached affidavits, and that information about the process to take down the website, including the identity of the owners used to sell NetWire, is limited at this point.

In a press release, the DOJ wrote that Croatian authorities had arrested a local citizen who allegedly ran the website, but did not name the suspect.

Following the announcement, cyber security journalist Brian Krebs He wrote an article It used global DNS records, WHOIS website registration data, information from a service that identifies information exposed in public database breaches, and a Google+ profile to link the worldwiredlabs.com website to a man named Mario Zanco.

Do you have more information about NetWire or a hacking issue related to this malware? We want to hear from you. For offline devices, Lorenzo Franceschi-Biccirai can be reached securely on Signal at +1 917 257 1382 or on Wicker, Telegram and Wire @lorenzofb or by email at lorenzo@techcrunch.com. You can also access TechCrunch via SecureDrop.