Skip Navigation
BlackBerry ThreatVector Blog

BlackBerry Prevents: NetWire Malware

NetWire is a publicly available, multi-platform Remote Access Trojan (RAT) that is designed to attack victims on Windows®, MacOS ®, and Linux®. This threat has been distributed in phishing campaigns via weaponized Microsoft® documents, PDFs containing download links, and archive files containing payloads. It has been seen for sale on the dark net, typically ranging in price from $40 to $140 USD.

The goal of NetWire is to perform surveillance or take control of the infected system. Once the RAT has compromised a machine, the attacker can execute a variety of remote actions from its command and control (C2) server.

The malware’s surveillance abilities include logging keystrokes, capturing screenshots, and stealing passwords, as well as accessing web cameras and microphones.

DEMO VIDEO: BlackBerry vs. NetWire Malware

BlackBerry Cyber Suite and BlackBerry Guard stop these attacks.

BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, are well-equipped to mitigate the risks posed by threat actors: 

  • BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement. 
  • BlackBerry® Optics extends the threat prevention by using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities.  
  • BlackBerry recommends activating the following BlackBerry Optics rules to provide additional telemetry from a NetWire malware attack: 
    • Win command cmdc MITRE T1059
    • Unsigned Application Network Beaconing
  • The BlackBerry® Mobile Threat Defense (MTD) solution prevents and detects advanced malicious threats at the device and application levels. It combines the mobile endpoint management capabilities of BlackBerry® Unified Endpoint Manager (UEM) with advanced AI-driven threat protection, to get in front of malicious cyberattacks in a Zero Trust environment. 
  • BlackBerry® Persona creates trust based on behavior analytics, app usage, and network and process invocation patterns. It uses adaptive risk scoring to provide continuous authentication. 
  • BlackBerry Guard customers are proactively protected from NetWire malware attacks. Our 24/7 MDR solution customers receive:  
    • Alerts monitored in real-time  
    • Corrective policies applied while discovering gaps in policy implementation  
    • Prioritized threat hunting  
    • The latest threat intelligence for fast-moving threats  

Prevention First

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain. 

By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience. It also helps to reduce infrastructure complexity and streamline security management, ensuring your business, people and endpoints are secure. 

BlackBerry Assistance

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. 

For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form. 

Learn more about NetWire malware in our new deep-dive blog, Threat Thursday: NetWire RAT is Coming Down the Line.

 

Demo Video Transcription

“In this video, we will demonstrate the root-cause analysis capabilities of BlackBerry Optics, as well as our Temporal Predictive Advantage against an infamous remote administration tool (RAT) called Netwire.

We are jumping straight into BlackBerry Optics to deep-dive into the focus data presented by this threat, to better understand how it takes control of the system.

First, upon execution of the initial .exe that could come as an attachment on a phishing email or downloaded from a link on a pdf, NetWire drops the test.exe file, which migrates into this host.exe file. It immediately establishes persistence to make sure it runs again if the user reboots the machine, and then you can see its heavily intensive communication with its Command and Control (C2) server.

Netwire can silently log keystrokes, capture screenshots, and steal passwords, as well as accessing web cameras and microphones.

Let's take a look at the BlackBerry predictive prevention, traveling back in time to (an AI model released in) October 2015. Bear in mind that this machine is completely disconnected from the Internet, with no updates in terms of our agent or operating system patches. Now, we will try to execute the original malware sample.

As you can see, BlackBerry prevents it from running in milliseconds.

Now let's try with 15 different variants of Netwire, publicly available from this year, 2021. We will try to execute them in sequence to make sure they all try to infect the system. As you can see, our Cylance® AI model is able to convict all these variants.

Prevention is Possible, with BlackBerry.”

The BlackBerry Research & Intelligence Team

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.