LTS Secure Warning: Enterprise Users Being Targeted In New NetWire RAT Campaign

Researchers have identified a new campaign targeting enterprise user with fake business emails to deliver NetWire RAT. First discovered in 2012, the malware has been constantly upgraded by its developers with new features and is being sold on underground forums.


Technical Details

  • The mail contains an IMG file, which upon being clicked, extracts the executable containing the RAT.
  • The RAT then makes use of task scheduling in order to establish persistence.
  • Then registry keys are being created to aid the transfer the transfer of victim’s sensitive/confidential data to the malware’s C&C server over TCP 3012.



  • Logs user’s keystrokes.
  • Take screenshots of desktop.
  • Upload & executing payloads on the infected machines.
  • Steal sensitive/confidential information like login credentials of banking sites, cookies, etc.


Recommended Actions

  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.