Researchers at Fortinet have come across a phishing campaign delivering a new version of the NetWire remote access Trojan (RAT). The phishing emails claim to contain invoices and encourage recipients to click on the attached PDF. The bottom of the email has an image of a PDF attachment which is actually a hyperlink to download the malware. When a victim tries to open the attachment, their computer will be infected with NetWire.
Once the RAT is on a system, it functions as a keylogger and sends a wide variety of information about the victim’s activity and device to the attacker. It also steals credentials stored by Chrome, Firefox, Opera, Outlook, and other browsers and services. Additionally, it can read, write, and delete data on the victim’s computer. It’s also worth noting that the new variant of NetWire uses an assortment of anti-sandboxing and anti-debugging techniques to prevent it from being analyzed.
This phishing campaign shows why users need to be able to spot suspicious emails right off the bat. Most people wouldn’t think to hover over a PDF attachment to check for a link before clicking on it. However, a vaguely worded email regarding an unexpected invoice could have put users on high alert before they tried to open the attachment. New-school security awareness training can teach your employees to constantly be on the lookout for signs that an email is fraudulent.
Fortinet has the story: https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html
