How the FBI proved a remote admin tool was actually malware
On Thursday, the U.S. government announced that it had seized a website used to sell malware designed to spy on computers and cellphones.
The malware is called NetWire, and for years several cybersecurity companies, and at least one government agency, have written reports detailing how hackers were using the malware. While NetWire was also reportedly advertised on hacking forums, the malware owners marketed it on a website that made it look like it was a legitimate remote administration tool.
“NetWire is specifically designed to help businesses complete a variety of tasks connected with maintaining computer infrastructure. It is a single 'command center' where you can keep a list of all your remote computers, monitor their statuses and inventory, and connect to any of them for maintenance purposes,” read an archived version of the site.
In the press release announcing the seizure of the website, which was hosted at worldwiredlabs.com, the U.S. Attorney's Office in the Central District of California said that the FBI started an investigation into the site in 2020. The feds allege the site was used to commit international money laundering, fraud and computer crimes.
A spokesperson for the U.S. Attorney's Office provided TechCrunch with a copy of the warrant used to seize the website, which details how the FBI determined that NetWire was, in fact, a Remote Access Trojan — or RAT — malware and not a legitimate app to administer remote computers.
The warrant contains an affidavit written by an unnamed FBI Task Force officer, who explains that a member or agent of the FBI Investigative Team purchased a NetWire license, downloaded the malware and gave it to an FBI-LA computer scientist, who analyzed it on October 5, 2020 and January 12, 2021.
Image Credits: NetWire
In order to test the capabilities of the malware the computer scientist used NetWire’s Builder Tool on a test computer to construct “a customized instance of the NetWire RAT,” which was installed on a Windows virtual machine controlled by the agent. During this process, the NetWire website “never required the FBI to confirm that it owned, operated, or had any property right to the test victim machine that the FBI attacked during its testing (as would be appropriate if the attacks were for a legitimate or authorized purpose).”
In other words, based on this experiment, the FBI concluded that the owners of NetWire never bothered to check that its customers were using it for legitimate purposes on computers they owned or controlled.
Using the virtual machine they set up, the FBI computer scientist then tested all of NetWire's functionalities, including remotely accessing files, viewing and force-closing apps such as Windows Notepad, exfiltrating stored passwords, recording keystrokes, executing commands via prompt or shell and taking screenshots.
“The FBI-LA [computer scientist] emphasized that in all the features tested above, the infected computer never displayed a notice or alert that these actions were taking place. This is contrary to legitimate remote access tools where consent from the user is typically required to perform specific action on the user's behalf,” the Task Force officer wrote in the affidavit.
The officer also cited a complaint that the FBI received from a U.S.-based victim of NetWire in August 2021, but didn’t include the identity of the victim, nor many details of the case, other than saying the victim hired a third-party cybersecurity firm which concluded that the victim company received a malicious email that installed NetWire.
Ciaran McEvoy, a spokesperson for the U.S. Attorney’s Office of the Central District of California, told TechCrunch he was not aware of any other public documents on the case, other than the warrant and attached affidavit, so information about the operation to take down the website used to sell NetWire, including the identity of its owners, is at this point limited.
In the press release, the DOJ wrote that Croatian authorities arrested a local citizen who allegedly ran the website, but did not name the suspect.
Following the announcement, the cybersecurity journalist Brian Krebs wrote an article where he used publicly accessible DNS records, WHOIS website registration data, information provided by a service that indexes data exposed in public database leaks and even a Google+ profile, to link the worldwiredlabs.com website to a person named Mario Zanko.
Do you have more information about NetWire or a hacking case involving this malware? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email firstname.lastname@example.org. You can also contact TechCrunch via SecureDrop.