The U.S. government recently announced that it had seized a website that was being used to sell NetWire, a malware designed to spy on computers and cellphones. The website had been operational for years and had been previously reported by various cybersecurity companies and government agencies as being used by hackers. However, the owners marketed it as a legitimate remote administration tool. According to an archived version of the website, NetWire was described as being designed to help businesses complete a variety of tasks related to maintaining computer infrastructure.
The U.S. Attorney’s Office in the Central District of California alleged that the website was used for international money laundering, fraud, and computer crimes. An FBI investigation into the website began in 2020. The FBI Investigative Team purchased a NetWire license and downloaded the malware, which was then analyzed by an FBI-LA computer scientist. The resulting affidavit from an unnamed FBI Task Force officer, included in the warrant used to seize the website, details how the FBI determined that NetWire was a Remote Access Trojan (RAT) malware and not a legitimate app to administer remote computers.
The FBI computer scientist used NetWire’s Builder Tool on a test computer to construct a customized instance of the NetWire RAT, which was installed on a Windows virtual machine controlled by the agent. During the process, the NetWire website never required the FBI to confirm that it owned, operated, or had any property right to the test victim machine that the FBI attacked during its testing.
Based on this experiment, the FBI concluded that the owners of NetWire never bothered to check that its customers were using it for legitimate purposes on computers they owned or controlled. The FBI computer scientist then tested all of NetWire’s functionalities, including remotely accessing files, exfiltrating stored passwords, recording keystrokes, executing commands via prompt or shell, and taking screenshots.
The DOJ announced that Croatian authorities arrested a local citizen who allegedly ran the website, but did not name the suspect. Ciaran McEvoy, a spokesperson for the U.S. Attorney’s Office, said that he was not aware of any other public documents on the case, other than the warrant and attached affidavit, so information about the operation to take down the website used to sell NetWire, including the identity of its owners, is currently limited.
Following the announcement, cybersecurity journalist Brian Krebs wrote an article where he linked the worldwiredlabs.com website to a person named Mario Zanko using publicly accessible DNS records, WHOIS website registration data, information provided by a service that indexes data exposed in public database leaks, and even a Google+ profile.
Image Credits:Â NetWire
The U.S. government has seized a website used to sell NetWire malware, which is designed to spy on computers and cellphones. The malware has been used by hackers for years, and cybersecurity companies, as well as at least one government agency, have written reports on it. NetWire was marketed on a website that appeared to be a legitimate remote administration tool. However, the U.S. Attorney’s Office in the Central District of California alleges that the website was used for international money laundering, fraud, and computer crimes.
The FBI determined that NetWire was a Remote Access Trojan (RAT) malware and not a legitimate app to administer remote computers. To test the capabilities of the malware, the FBI used NetWire’s Builder Tool to construct a customized instance of the RAT, which was installed on a Windows virtual machine controlled by the agent. During this process, the NetWire website never required the FBI to confirm ownership of the test victim machine that the FBI attacked.
Based on this experiment, the FBI concluded that the owners of NetWire never bothered to check that their customers were using it for legitimate purposes on computers they owned or controlled. The FBI computer scientist tested all of NetWire’s functionalities, including remotely accessing files, viewing and force-closing apps, exfiltrating stored passwords, recording keystrokes, executing commands via prompt or shell, and taking screenshots.
The infected computer never displayed a notice or alert that these actions were taking place, which is contrary to legitimate remote access tools that typically require consent from the user to perform specific actions on the user’s behalf. The FBI received a complaint from a U.S.-based victim of NetWire in August 2021, but the identity of the victim and the details of the case were not included.
The U.S. Attorney’s Office of the Central District of California spokesperson, Ciaran McEvoy, stated that there were no other public documents available on the case, and the information about the operation to take down the website used to sell NetWire, including the identity of its owners, is limited at this point. The DOJ announced that Croatian authorities arrested a local citizen who allegedly ran the website but did not disclose the suspect’s name. Cybersecurity journalist Brian Krebs used publicly accessible DNS records, WHOIS website registration data, and information provided by a service that indexes data exposed in public database leaks to link the worldwiredlabs.com website to a person named Mario Zanko.
