What is the method taken by the FBI to conclude that 'NetWire', which claims a remote management tool, is malware?



The Federal Bureau of Investigation (FBI) has announced that it has seized a domain used to sell malware called ' NetWire ', which was sold as a remote administration tool. NetWire was sold as a remote management tool, but the FBI has concluded that it is malware and has decided to arrest the people involved in cooperation with domestic and foreign investigative agencies.

Central District of California | Federal Authorities Seize Internet Domain Selling Malware Used to Illegally Control and Steal Data from Victims' Computers | United States Department of Justice
https://www.justice.gov/usao-cdca/pr/federal-authorities-seize-internet-domain-selling-malware-used-illegally-control-and



Ravnateljstvo policije - U sklopu međunarodne policijske akcije hrvatska policija uhitila hakera s područja Zagrebačke županije
https://policija.gov.hr/vijesti/u-sklopu-medjunarodne-policijske-akcije-hrvatska-policija-uhitila-hakera-s-podrucja-zagrebacke-zupanije/6944



Federal authorities in Los Angeles have announced on the official website of the US Department of Justice that they have seized an Internet domain used to control infected computers and sell malware that steals various information.

On March 7, 2023, federal authorities seized the domain 'www.worldwiredlabs.com' under a seizure warrant approved by a US magistrate on March 3. It has been revealed that this domain was used to sell a remote access Trojan horse called 'NetWire'.

At the time of writing the article, when accessing ``worldwiredlabs.com'', the logo of the US Department of Justice and FBI is at the top, along with the notation ``This website has been seized'', and Europol , a European Union police agency, at the bottom. , Croatian Police , Zurich State Police , Australian Federal Police and other logos are lined up.

Domain Seized by Law Enforcement
http://www.worldwiredlabs.com/



According to documents filed in a Los Angeles court, 'Trojan horses are a type of malware that enables covert surveillance and acts as a backdoor for administrative control without the victim's knowledge or permission.' , allows unfettered and unauthorized remote access to your computer.'

Croatian police made the arrest of the Croatian alleged website administrator on March 7 as part of a law enforcement action taken in the second week of March, according to federal authorities. The person will be prosecuted by the Croatian police. In addition, the Zurich state police also seized a computer server that hosted NetWire's infrastructure on the same day.

In 2020, the FBI began investigating the NetWire distribution site 'www.worldwiredlabs.com'. According to an affidavit supporting the seizure warrant, an FBI undercover agent created an account at 'www.worldwiredlabs.com,' paid for a subscription plan, and 'used the product's builder tool to customize NetWire. Successfully constructed an instance that was created.'



'www.worldwiredlabs.com' advertised NetWire as 'a legitimate business tool for maintaining computer infrastructure.' However, the affidavit states, 'NetWire is malware used for malicious purposes, the software has been advertised on hacking-related forums, and numerous cybersecurity companies and government agencies have documented instances of NetWire. ” is written.

“Today’s announcement is a testament to the innovation and flexibility needed to combat cross-border cybercriminals,” a federal official said in a statement. Criminals use NetWire on a global scale and we are successfully dismantling the infrastructure that has caused immeasurable damage to victims around the world.' I was.

In addition, the FBI's Los Angeles office also said, 'This case is the result of a very strong cooperation in US law enforcement with Croatia and other global partners.'



TechCrunch, an overseas media, reported on this case, 'How did the FBI prove that NetWire was malware?'

How the FBI proved a remote admin tool was actually malware | TechCrunch

https://techcrunch.com/2023/03/09/how-the-fbi-proved-a-remote-admin-tool-was-actually-malware/



If you check 'www.worldwiredlabs.com' on the Internet Archive's Wayback Machine , the site describes NetWire as 'specifically designed to help businesses complete a variety of tasks related to maintaining their computer infrastructure. It maintains a list of all remote computers, monitors their status and inventory, and acts as a single 'command center' from which you can connect to any of them for maintenance purposes.'



However, TechCrunch has obtained a copy of the warrant used to seize the domain from a spokesperson for the Federal Attorney's Office, and the warrant contains details that determined NetWire to be malware.

The warrant contains an affidavit written by a member of the task force set up by the FBI to investigate the NetWire. According to this, from October 5, 2020 to January 12, 2021, task force members purchased and downloaded NetWire licenses and provided NetWire data to computer scientists at the FBI Los Angeles office.

To test its functionality, FBI computer scientists used NetWire's builder tool on a test machine to build a 'customized instance of NetWire' and put NetWire into a Windows virtual machine controlled by an FBI agent. Install. And I experimented whether it would be possible to remotely access any terminal using NetWire.

During the test, it seems that NetWire did not confirm whether the FBI held the ownership, operating rights, and property rights of the machine attacked (attempted to access remotely) using NetWire as a test. In other words, the FBI concluded that ``We did not check whether NetWire users were using NetWire for legitimate purposes on their own or managed computers.''

In addition, FBI's computer scientist uses a virtual machine with NetWire installed, remotely accesses files remotely on any machine, browses and forcibly stops notepad applications on Windows, steals saved passwords, users I tested keystroke recording, prompt and shell command execution, and taking screenshots.

A computer scientist at FBI Los Angeles emphasized that when testing the above function, no notifications or warnings were displayed on the remotely accessed terminal. As a result, a member of the task force said in an affidavit that ``it is contrary to legitimate remote access tools that normally require consent from the user to perform certain actions on the user's behalf,'' NetWire. I am evaluating.

Below is a copy of the seizure warrant provided to TechCrunch by the Federal Attorney's Office.

Netwire - DOJ Public domain seizure warrant - DocumentCloud
https://www.documentcloud.org/documents/23700957-netwire-doj-public-domain-seizure-warrant



Ciarán McEvoy, a spokesperson for the U.S. Attorney's Office for the Central District of California, told TechCrunch, 'Because we have no public documents related to this case other than the warrant and the accompanying affidavit, we have not sold NetWire. We have limited information at this time regarding the closure of the website, including the identity of its owner.'

The Justice Ministry said Croatian police had arrested a person involved in running the website, but did not name the suspect.

However, cybersecurity journalist Bryan Krebs said that access to DNS records, WHOIS website registration data, information provided by services that index data exposed in public database leaks, and even Google+ profiles, etc. to identify the name of the person who operated 'www.worldwiredlabs.com' as 'Mario Zanko'.

Who's Behind the NetWire Remote Access Trojan? – Krebs on Security
https://krebsonsecurity.com/2023/03/whos-behind-the-netwire-remote-access-trojan/



in Software,   Security, Posted by logu_ii