Encircle News!

Retro Game Arcade
, , , , , , , , ,

How the FBI proved a remote admin tool was actually malware

Lorenzo Franceschi-Bicchierai

On Thursday, the U.S. government announced that it had seized a website used to sell malware designed to spy on computers and cellphones.

The malware is called NetWire, and for years several cybersecurity companies, and at least one government agency, have written reports detailing how hackers were using the malware. While NetWire was also reportedly advertised on hacking forums, the malware owners marketed it on a website that made it look like it was a legitimate remote administration tool.

“NetWire is specifically designed to help businesses complete a variety of tasks connected with maintaining computer infrastructure. It is a single “command center” where you can keep a list of all your remote computers, monitor their statuses and inventory, and connect to any of them for maintenance purposes,” read an archived version of the site.

In the press release announcing the seizure of the website, which was hosted at worldwiredlabs.com, the U.S. Attorney’s Office in the Central District of California said that the FBI started an investigation into the site in 2020.

A spokesperson for the U.S. Attorney’s Office provided TechCrunch with a copy of the warrant used to seize the website, which details how the FBI determined that NetWire was, in fact, a Remote Access Trojan — or RAT — malware and not a legitimate app to administer remote computers.

The warrant contains an affidavit written by an unnamed FBI Task Force officer, who explains that a member or agent of the FBI Investigative Team purchased a NetWire license, downloaded the malware, and gave it to an FBI-LA computer scientist, who analyzed it on October 5, 2020 and January 12, 2021.

 

In order to test the capabilities of the malware the computer scientist used NetWire’s Builder Tool on a test computer to construct “a customized instance of the NetWire RAT,” which was installed on a Windows virtual machine controlled by the agent. During this process, the NetWire website “never required the FBI to confirm that it owned, operated, or had any property right to the test victim machine that the FBI attacked during its testing (as would be appropriate if the attacks were for a legitimate or authorized purpose).”

In other words, based on this experiment, the FBI concluded that the owners of NetWire never bothered to check that its customers were using it for legitimate purposes on computers they owned or controlled.

Using the virtual machine they set up, the FBI computer scientist then tested all of NetWire functionalities, including remotely accessing files, viewing and force-closing apps such as Windows Notepad, exfiltrating stored passwords, recording keystrokes, executing commands via prompt or shell, and taking screenshots.

“The FBI-LA [computer scientist] emphasized that in all the features tested above, the infected computer never displayed a notice or alert that these actions were taking place. This is contrary to legitimate remote access tools where consent from the user is typically required to perform specific action on the user’s behalf,” the Task Force officer wrote in the affidavit.

The officer also cited a complaint that the FBI received from a U.S.-based victim of NetWire in August 2021, but didn’t include the identity of the victim, nor many details of the case, other than saying the victim hired a third-party cybersecurity firm which concluded that the victim company received a malicious email that installed NetWire.

Ciaran McEvoy, a spokesperson for the U.S. Attorney’s Office of the Central District of California told TechCrunch he was not aware of any other public documents on the case, other than the warrant and attached affidavit, so information about the operation to take down the website used to sell NetWire, including the identity of its owners, is at this point limited.

In the press release, the DOJ wrote that Croatian authorities arrested a local citizen who allegedly ran the website, but did not name the suspect.

Following the announcement, the cybersecurity journalist Brian Krebs wrote an article where he used publicly accessible DNS records, WHOIS website registration data, information provided by a service that indexes data exposed in public database leaks, and even a Google+ profile, to link the worldwiredlabs.com website to a person named Mario Zanko.

How the FBI proved a remote admin tool was actually malware by Lorenzo Franceschi-Bicchierai originally published on TechCrunch

https://techcrunch.com/2023/03/09/how-the-fbi-proved-a-remote-admin-tool-was-actually-malware/

Follow Us

Featured Posts

September 2024
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
30  

About Us

Welcome to encircle News! We are a cutting-edge technology news company that is dedicated to bringing you the latest and greatest in everything tech. From automobiles to drones, software to hardware, we’ve got you covered.

At encircle News, we believe that technology is more than just a tool, it’s a way of life. And we’re here to help you stay on top of all the latest trends and developments in this ever-evolving field. We know that technology is constantly changing, and that can be overwhelming, but we’re here to make it easy for you to keep up.

We’re a team of tech enthusiasts who are passionate about everything tech and love to share our knowledge with others. We believe that technology should be accessible to everyone, and we’re here to make sure it is. Our mission is to provide you with fun, engaging, and informative content that helps you to understand and embrace the latest technologies.

From the newest cars on the road to the latest drones taking to the skies, we’ve got you covered. We also dive deep into the world of software and hardware, bringing you the latest updates on everything from operating systems to processors.

So whether you’re a tech enthusiast, a business professional, or just someone who wants to stay up-to-date on the latest advancements in technology, encircle News is the place for you. Join us on this exciting journey and be a part of shaping the future.

Podcasts

TWiT 998: Artisanal Locally-Sourced Dopamine – Amazon Returns to Office, CA AI Bill, Elon Backs Down This Week in Tech (Audio)

Amazon Returns to Office, CA AI Bill, Elon Backs Down Discussion of the iPhone 16 Qualcomm Approached Intel About a Takeover in Recent Days Hezbollah Pagers Explode in Apparent Attack Across Lebanon Elon Musk's X Backs Down in Brazil Bluesky tops 10 million users Newsom signs California bill to limit 'addictive' social media feeds for kids The AI bill driving a wedge through Silicon Valley Microsoft Would Restart Three Mile Island Nuclear Plant to Power AI Bill requiring AM radio in new cars gets closer to law Mozilla exits the fediverse and will shutter its Mastodon server in December Amazon tells employees to return to office five days a week Host: Leo Laporte Guests: Ben Parr, Alex Lindsay, and Rob Pegoraro Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: NetSuite.com/TWIT canary.tools/twit – use code: TWIT expressvpn.com/twit shopify.com/twit veeam.com
  1. TWiT 998: Artisanal Locally-Sourced Dopamine – Amazon Returns to Office, CA AI Bill, Elon Backs Down
  2. TWiT 997: Put an OLED on it – iPhone Event 2024, $700 PS5, AI in AU
  3. TWiT 996: The Quiet Office Crackdown – Starlink Backtracks, AI Royalty Heist
  4. TWiT 995: The Story of Us – AnandTech Shuts Down, Brazil Bans X, Alexa Revamp
  5. TWiT 994: Time Moves On, but I Don't – Pavel Durov Arrested, Hacking Bikes, Apple Event Rumors