Description
[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)
External References
Techniques Used by This Malware
- T1010 — Application Window Discovery
- T1016 — System Network Configuration Discovery
- T1027 — Obfuscated Files or Information
- T1027.002 — Software Packing
- T1027.011 — Fileless Storage
- T1036.001 — Invalid Code Signature
- T1036.005 — Match Legitimate Resource Name or Location
- T1049 — System Network Connections Discovery
- T1053.003 — Cron
- T1053.005 — Scheduled Task
- T1055 — Process Injection
- T1055.012 — Process Hollowing
- T1056.001 — Keylogging
- T1057 — Process Discovery
- T1059.001 — PowerShell
- T1059.003 — Windows Command Shell
- T1059.004 — Unix Shell
- T1059.005 — Visual Basic
- T1071.001 — Web Protocols
- T1074.001 — Local Data Staging
- T1082 — System Information Discovery
- T1083 — File and Directory Discovery
- T1090 — Proxy
- T1095 — Non-Application Layer Protocol
- T1102 — Web Service
- T1105 — Ingress Tool Transfer
- T1106 — Native API
- T1112 — Modify Registry
- T1113 — Screen Capture
- T1119 — Automated Collection
- T1204.001 — Malicious Link
- T1204.002 — Malicious File
- T1543.001 — Launch Agent
- T1547.001 — Registry Run Keys / Startup Folder
- T1547.013 — XDG Autostart Entries
- T1547.015 — Login Items
- T1555 — Credentials from Password Stores
- T1555.003 — Credentials from Web Browsers
- T1560 — Archive Collected Data
- T1560.003 — Archive via Custom Method
- T1564.001 — Hidden Files and Directories
- T1566.001 — Spearphishing Attachment
- T1566.002 — Spearphishing Link
- T1573 — Encrypted Channel
- T1573.001 — Symmetric Cryptography