Website selling long-abused Netwire RAT malware seized by FBI

The FBI has seized the domain of a website believed to be the sole purveyor of the widely used Netwire malware.

The international operation on Tuesday also saw Croatian authorities detain an unnamed suspect and Swiss law enforcement seize the servers hosting the malware infrastructure.

Netwire’s remote access trojan (RAT) — a type of malware that allows unauthorized remote control of a targeted device — has been documented by threat researchers for years and according to the FBI has been available since 2012.

“By removing the Netwire RAT, the FBI has impacted the criminal cyber ecosystem,” said Donald Alway, the assistant director in charge of the FBI’s Los Angeles field office, in a press release. “The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals.”

The FBI in Los Angeles first opened an investigation into the site, called worldwidelabs, three years ago, according to a seizure warrant obtained by TechCrunch. Officers created an account in October 2020 on the platform and purchased the Netwire malware, which is offered via a subscription.

The FBI’s undercover team created a custom version of the malware using the tools provided in the subscription purchased on worldwidelabs. They then infected one of their own devices, observing the results. The malware gave them the ability to remotely access files, view and terminate processes and computer applications, access passwords, log keystrokes, execute commands and employ screen capture.

Remote-access tools are also used for legitimate purposes, most commonly for IT departments troubleshooting issues with employees’ devices. But FBI officers were able to determine that Netwire’s product carried the hallmarks of a malicious trojan.

“Significantly … during the entire time of the connection, there were no visible windows or other indications on the infected computer’s screen that would alert the user … to the presence of the Netwire RAT,” the warrant said. “The FBI-LA CS [computer scientist] noted that a typical legitimate remote access tool would alert the user that their computer was now under the control or being monitored remotely.”

On March 3, a seizure warrant was granted, authorizing the FBI to redirect traffic from worldwidelabs to a FBI server.

Netwire has been a favorite of malicious hackers for more than a decade. In early 2016, researchers warned that Netwire was being used to target banks and healthcare organizations. In a case documented by cybersecurity company SentinelOne last year, the malware was used to remotely monitor an activist who was detained by Indian law enforcement on terrorism charges.

On March 9, the day of the FBI’s announcement of the seizure, the cybersecurity journalist Brian Krebs published an article connecting a Croatian national named Mario Zanko to the Netwire malware by analyzing domain and website registration information, among other clues.