skip to Main Content

Cybercrime, Italy targeted by Netwire

Yoroi-ZLab: Cybercrime targeted Italian speaking victims with Netwire, and the infosteales campaign shows similarities with techniques adopted in recent operations against italian manufacturing sector

Italian speaking victims are targeted by cybercrime with Netwire infostealer. It has been discovered by Cybaze/Yoroi-ZLab cyber security experts. The particular chain of attack showed interesting technical patterns resembling other previous activities targeting the Italian manufacturing landscape. The variant used in this campaign is similar to other samples of the NetWire malware family but has an evolution of the attack chain. The malware is delivered as a malicious email attachment with XML macro embedded into it. Once opened, the Excel file looks like a document with some dynamic elements but hasn’t some clickable buttons. There, the classical security notice informs us that macros are contained in the document and are disabled. They are quite minimal and do not contain dead code or other anti-analysis technique, a part of the random looking variable naming. 

The cyber security experts: How the malware infection chain works

According to the italian cyber security experts, the the VBS macro snippet contacts the “cloudservices-archive.]best” domain to download the next stage payload hidden inside a file named as picture file. But it is not a picture and neither an executable: it actually is a XSL stylesheet containing Javascript able to load another ActiveX object. Then, the malware download the additional “fiber.vbs” file, a code snippet hiding powershell invocation through several nested replacements. This time the code is heavily obfuscated and contains many string manipulation subroutines. It contains another powershell stage designed to gain awareness of the execution environment and trigger the execution of an additional stage. After that, it reads raw bytes from the downloaded file and transforms them into ready to execute powershell code. The cybercrime also configures a persistence mechanism for Netwire, copying itself inside a directory and setting up the a registry key.

Back To Top