New Obfuscated WiryJMPer Dropper Hides Netwire Payloads in Plain Sight

Image: Engin_Akyurt

A new malware dropper was observed while infecting computers with a Netwire malicious payload hidden between two benign binaries and using obfuscation to fly under the radar of most anti-malware solutions.

"WiryJMPer is a seemingly ordinary dropper with unusual obfuscation. It uses two benign binaries with superfluous jumps and dead branches sandwiched between the binaries to hide its virtual machine, protecting its Netwire payload," found Avast researchers Adolf Středa and Luigino Camastra.

NetWire (also known as Recam or NetWiredRC) is a remote access trojan (RAT) widely used since 2012 with remote control capabilities and a focus on keylogging and password-stealing that enables attackers to gain unauthorized access and remotely control their victims' computers, among a host of other things.

The suspicious binary

The researchers first noticed the loader after observing that the ABBC Coin wallet binary's size it used as a front-face was actually three times the size of the regular wallet.

It also came with other of warning flags such as the use of strings from a WinBin2Iso 3.16 executable developed by SoftwareOK. The fact that WinBin2Iso is a binary image converter and ABBC Coin is a blockchain-based cryptocurrencies made the WiryJMPer binary even more suspicious.

While taking a closer look using behavioral analysis techniques, Avast's researchers discovered that instead of an ABBC Coin wallet the unusual binary was actually the malware dropper they dubbed WiryJMPer.

WiryJMPer’s workflow
WiryJMPer’s workflow

Stack-based virtual machines

The victim's machine is infected using a flashy, although not uncommon, method of showing program windows in the foreground to distract the user while the Netwire payload is being dropped in the background.

"The first stage of the payload innocently appears as a regular WinBin2Iso binary with a suspiciously large .rsrc section," the researchers found. "The JMP instruction, which is normally part of a loop handling window messages, jumps into the .rsrc section where a roller-coaster of control flow begins."

In the next step, an unresponsive WinBin2Iso window will be displayed which gets almost instantly replaced by a new ABBC Coin wallet window, a behavior the researchers noticed on startup every time the WiryJMPer got launched.

"The combination of control flow obfuscation and low level code abstraction made the analysis of the malware’s workflow rather tedious," Avast's report also adds.

"Moreover, during the analysis, we found that the obfuscated loader also utilises a (possibly) custom stack-based virtual machine during the RC4 key schedule, which aroused our interest even more."

The WiryJMPer dropper also attempts to gain persistence on compromised systems by adding a shortcut in the startup folder pointing to its original binary, copied to %APPDATA%\abbcdriver.exe.

Stack-based virtual machine diagram
Stack-based virtual machine diagram

The malware samples analyzed always used the same course of action, with a "WinBin2Iso binary patched to unpack Netwire and another binary" leading to legitimate cryptocurrency wallets via the decoy payload.

"While the malware’s functionality isn’t very innovative, it has managed to pass under the radar for some time, probably due to obfuscation and rather low prevalence," conclude the Avast researchers.

"Rather slow setup of the decoy showing multiple windows with unrelated titles may be suspicious enough for power-users, on the other hand, providing the 'decoy' binary might be comforting enough for ordinary users."

IOCs and previous RAT activity

A high-level overview of this new malware loader and a list of indicators of compromise (IOCs) including malware hashes and Netwire C2 server domains are available on GitHub and at the end of Avast's WiryJMPer analysis.

The Netwire RAT was also spotted by security researches at the Qihoo 360 Security Center in August while being distributed via a malscam campaign targeting several North American entities from the hotel industry.

In March, Fireeye's researchers discovered a phishing campaign that delivered a Netwire payload by injecting into a legitimate Microsoft executable using process hollowing evade detection.

Netwire was also used in the past by threat actors in campaigns that targeted payment processors, ATMs, and transaction processing systems of organizations from the Middle East via spear-phishing emails [PDF] as Proofpoint found in 2016, as well as to harvest payment card data from point-of-sale systems according to SecureWorks.