Concrete signature match: Backdoor - Provides unauthorized remote access for 32-bit Windows platform, family Netwire
This is a concrete detection of Backdoor:Win32/Netwire.GG!MTB, a sophisticated Remote Access Trojan (RAT) from the Netwire family. It establishes persistence using a specific registry key ("SOFTWARE\NetWire") and utilizes HTTP communication for command and control (C2), enabling data exfiltration and remote system control.
Relevant strings associated with this threat: - SOFTWARE\NetWire (PEHSTR_EXT) - filenames.txt (PEHSTR_EXT) - GET %s HTTP/1.1 (PEHSTR_EXT)
rule Backdoor_Win32_Netwire_GG_2147795257_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Win32/Netwire.GG!MTB"
threat_id = "2147795257"
type = "Backdoor"
platform = "Win32: Windows 32-bit platform"
family = "Netwire"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "20"
strings_accuracy = "High"
strings:
$x_15_1 = "SOFTWARE\\NetWire" ascii //weight: 15
$x_1_2 = "filenames.txt" ascii //weight: 1
$x_1_3 = "HostId" ascii //weight: 1
$x_1_4 = "%Rand%" ascii //weight: 1
$x_1_5 = "GET %s HTTP/1.1" ascii //weight: 1
$x_1_6 = "Accept-Language: en-US,en" ascii //weight: 1
$x_1_7 = "Connection: close" ascii //weight: 1
$x_1_8 = "200 OK" ascii //weight: 1
condition:
(filesize < 20MB) and
(
((1 of ($x_15_*) and 5 of ($x_1_*))) or
(all of ($x*))
)
}73cf4c1de3510d4010419a34a87b341c18d6144080988d23abe965bed3d73a5eImmediately isolate the compromised host to prevent further damage. Perform a full system scan with an updated antivirus/EDR solution to remove the malware and any associated components, including the "SOFTWARE\NetWire" registry key. Investigate for lateral movement, credential compromise, and data exfiltration, resetting any affected user credentials.