New WiryJMPer Dropper Hides Netwire RAT Payloads in Plain Sight

hacking

A fresh malware dropper was noted when computers were infected with a Netwire malicious payload concealed between two benign binders and flying under the radar of most malware alternatives.

“WiryJMPer is a seemingly ordinary dropper with unusual obfuscation. It uses two benign binaries with superfluous jumps and dead branches sandwiched between the binaries to hide its virtual machine, protecting its Netwire payload,” found Avast researchers Adolf Středa and Luigino Camastra.

NetWire (also known as Recam or NetWiredRC) is a Remote Access Trojan (RAT), a Trojan that has been used since 2012 with remote control functionality and a concentrate on keylogging, password robbing, enabling attackers to access and remotely control their pcs.

The uncertain binary

The scientists first realized that the loader was effectively three times the size of the ABBC Coin wallet binary, which it used for the front.

It also came with other warning flags, such as the use of strings from a SoftwareOK built WinBin2Iso 3.16 executable. The fact that WinBin2Iso is a binary image converter and ABBC Coin is a cryptocurrencies based on blocks makes WiryJMPer even more suspicious.

During a closer look using behavioral analysis, Avast scientists found that the uncommon binary was effectively the malware dropper they called WiryJMPer instead of the ABBC Coin wallet.

WiryJMPer%u2019s workflow

WiryJMPer’s workflow

Virtual stack-based machines

The victim’s machine is infected with a flashy but not unusual way to display program windows in the background to distract the user as Netwire payload drops.

“The first phase of payload appears innocently as a WinBin2Iso binary with a suspiciously big rsrc segment,” the scientists concluded. The JMP instruction, usually included in a loop handling window, goes to a.rsrc section where a roller-coast control flow starts.’

The following step will display a reactive WinBin2Iso window, nearly immediately substituted by a fresh ABBC Coin wallet window, a behavior that scientists have noticed every time the WiryJMPer is introduced at start-up.

“The combination of control flow obfuscation and low level code abstraction made the analysis of the malware’s workflow rather tedious,” Avast’s report also adds.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.