Taxpayers Targeted With Improved NetWire RAT Variant

2020-04-15 21:07

A new variant of the the NetWire remote access trojan is hitching a ride on IRS-themed phishing ploys targeting taxpayers in hopes of snatching victims' credentials and tax information.

The NetWire variant's payload has also been given a facelift, with improved keylogger and credential-collecting features.

The emails come with an OLE format Excel file attachment, named "1040 W2 IRS letter.xls." When the victim clicks on the attachment, a Microsoft Excel sheet opens, which shows some obfuscated IRS forms in the background, with an aim to make the file appear legitimate.

Excel 4.0, released in 1992, is an attractive option for cybercriminals because Microsoft also never provided a debugging feature for Excel 4.0 Macro, creating a roadblock for security analysts trying to examine complex Excel 4.0 Macro code.

Once executed, the Excel 4.0 Macro starts an extensive chain of download: First, the program "Powershell.exe" is executed, which then triggers the download of an MSI file, which is an installation package file used by Windows to install software, frequently chosen by attackers to spread malware as it easily bypasses many antivirus services.

News URL

https://threatpost.com/taxpayers-targeted-with-improved-netwire-rat-variant/154830/

#RAT