NetWire RAT Hidden in IMG Files Deployed in BEC Campaign

Business email compromise (BEC) scams have proven to be quite a lucrative endeavor for threat actors thanks to the large profit potential — and it seems like attacks are set to continue in 2020. A recent BEC campaign, purportedly coming from a small number of scammers in Germany, targets organizations by sending them emails with IMG (disk imaging) file attachments hiding a NetWire remote access trojan (RAT). First discovered in 2012, NetWire was more recently employed in a series of phishing attacks involving fake PDF files last September 2019.

The latest campaign, which was discovered by IBM X-Force security researchers, involves the typical BEC technique of sending an employee of the targeted organization an email masquerading as a corporate request. In this case, the researchers found that the message contained a fake sales quotation request saved as an IMG file attachment (Sales_Quotation_SQUO00001760.img) which, when clicked, executes the NetWire RAT.

Once executed, the malware variant establishes persistence via task scheduling. It also creates registry keys for storing the command-and-control (C&C) server’s IP address, which communicates over TCP port 3012. Once established in the target machine, NetWire can perform a number of actions, including keylogging, screen capturing, and information theft.

Although the IBM security researchers were unable to identify the exact details on who was behind this scheme, certain code strings found in the malware variant contained what seemed to be Indonesian text.

Recommendations and Trend Micro solutions

Cybercriminals have begun expanding the repertoire of techniques used in their BEC attacks to include tools such as RATs and keyloggers and are expected to utilize even more advanced technologies such as deepfakes (as noted in Trend Micro’s 2020 Predictions). To help organizations and users defend themselves from BEC attacks, we recommend the following best practices.

  • Email recipients of business transactions or requests should always be on the lookout for red flags or any other any suspicious elements — for example, changes in email signatures or messages sent without proper context.
  • Fund transfer and payment requests should always be verified, preferably by confirming the transaction with the sender. A secondary sign-off by someone higher up in the organization is also encouraged.
  • Users should avoid clicking links or downloading attachments unless they are sure that an email is legitimate and sent from a non-malicious address.

In addition to the best practices prescribed above, organizations can also consider adopting advanced technologies to defend against BEC attacks. For example, Trend Micro Cloud App Security and ScanMail™ Suite for Microsoft® Exchange™, which employ Writing Style DNA to assist in detecting the email impersonation tactics used in BEC and similar scams. Writing Style DNA uses artificial intelligence (AI) to recognize the DNA of a user’s writing style based on past emails and then compares it to suspected forgeries. The technology verifies the legitimacy of the email content’s writing style through a machine learning model that contains the legitimate email sender’s writing characteristics.

[Read: How machine learning helps with fighting spam and other threats]


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.